[pfx] Re: TLS library problem: error:0A000102

Sun, 17 Nov 2024 22:20:49 -0800 

On Sun, Nov 17, 2024 at 04:47:17PM -0800, Randy Bush via Postfix-users wrote:

>     2024-11-18T00:03:12.077805+00:00 m0 postfix/smtpd[1756]: warning:
>       TLS library problem: error:0A000102:SSL routines:
>       :unsupported protocol
        ---------------------
>       :../ssl/statem/statem_srvr.c:1657:

> the net of a million lies says that the remote client does not like my
> certificate.  i think i am using let's encrypt

The net of a million lies is lying as expected.  The error is not a
certificate problem, rather, the client tried to use a TLS protocol
version (1.0 perhaps, if not SSL 3.0) that is not supported on your end.

>     smtp_tls_protocols = !SSLv2, !SSLv3
>     smtpd_tls_protocols = TLSv1.3, TLSv1.2, !SSLv2, !SSLv3, !TLSv1

1.  You should NOT mix the positive form (listing supported protocols)
    with the negative form (listing unsupported protocols)
2.  The preferred syntax is instead listing the min/max values, (with
    no whitespace after the comparison operator). The above should
    be equivalent to:

      smtp_tls_protocols = >=TLSv1
      smtpd_tls_protocols = >=TLSv1.1

3.  Most probably the site in question is still using TLS 1.0, so to
    receive their mail (or avoid delays if they retry in cleartext),
    you'd want:

      smtp_tls_protocols = >=TLSv1
      smtpd_tls_protocols = >=TLSv1

> maybe i am being too rude with `!SSLv2, !SSLv3, !TLSv1`?

Most likely.  If they're legit, and their mail is wanted, then you may
be inclined to accommodate their failure to keep up with the times.

FWIW, the DANE surbey codebase is now using TLS libraries that no longer
support TLS 1.0 and 1.1.  Out of ~4.2 million domains with DANE TLSA
records, a handful (less than 10) are no longer checked for a matching
certificate, but instead show up as having broken (inbound) STARTTLS
support.  See, for example, the "xt.digsys.bg" issue at:

    https://stats.dnssec-tools.org/explore/?domain-registry.bg

[ Haven't yet had much luck reaching anyone at the Bulgarian DNS registry. ]

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to