On Tue, May 20, 2025 at 08:26:37AM -0400, Wietse Venema via Postfix-users wrote:
> > We're in the process of trolling all our logs to figure out what we can
> > ignore/filter/take action on, and we have a couple entries that I'm
> > wondering what's happening under the hood:
> >
> > 2025-05-18T15:42:07+00:00 post.dayjob.org postfix/smtpd
> > [mail.warning] warning: TLS library problem: error:0A0000C1:SSL
> > routines::no shared
> > cipher:/usr/src/crypto/openssl/ssl/statem/statem_srvr.c:1742:
The remote SMTP client's list of TLS 1.2 supported ciphers did not overlap with
the
list supported by the SMTP server:
openssl-3.0:ssl/statem/statem_srvr.c-1587-static int
tls_early_post_process_client_hello(SSL *s)
...
openssl-3.0:ssl/statem/statem_srvr.c-1736- /* For TLSv1.3 we must select
the ciphersuite *before* session resumption */
openssl-3.0:ssl/statem/statem_srvr.c-1737- if (SSL_IS_TLS13(s)) {
openssl-3.0:ssl/statem/statem_srvr.c-1738- const SSL_CIPHER *cipher =
openssl-3.0:ssl/statem/statem_srvr.c-1739- ssl3_choose_cipher(s,
ciphers, SSL_get_ciphers(s));
openssl-3.0:ssl/statem/statem_srvr.c-1740-
openssl-3.0:ssl/statem/statem_srvr.c-1741- if (cipher == NULL) {
openssl-3.0:ssl/statem/statem_srvr.c:1742- SSLfatal(s,
SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_CIPHER);
openssl-3.0:ssl/statem/statem_srvr.c-1743- goto err;
openssl-3.0:ssl/statem/statem_srvr.c-1744- }
> > 2025-05-19T08:20:09+00:00 amstel.dayjob.org postfix/smtpd
> > [mail.warning] warning: TLS library problem: error:0A000412:SSL
> > routines::sslv3 alert bad
> > certificate:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1605:SSL
> > alert number 42
The remote SMTP client reported not liking the server certificate (sent
an alert to that effect):
openssl-3.0:ssl/record/rec_layer_s3.c-1286-int ssl3_read_bytes(SSL *s, int
type, int *recvd_type, unsigned char *buf,
openssl-3.0:ssl/record/rec_layer_s3.c-1287- size_t len,
int peek, size_t *readbytes)
...
openssl-3.0:ssl/record/rec_layer_s3.c-1602- } else if (alert_level
== SSL3_AL_FATAL || is_tls13) {
openssl-3.0:ssl/record/rec_layer_s3.c-1603- s->rwstate =
SSL_NOTHING;
openssl-3.0:ssl/record/rec_layer_s3.c-1604- s->s3.fatal_alert =
alert_descr;
openssl-3.0:ssl/record/rec_layer_s3.c-1605- SSLfatal_data(s,
SSL_AD_NO_ALERT,
openssl-3.0:ssl/record/rec_layer_s3.c-1606-
SSL_AD_REASON_OFFSET + alert_descr,
openssl-3.0:ssl/record/rec_layer_s3.c:1607- "SSL
alert number %d", alert_descr);
openssl-3.0:ssl/record/rec_layer_s3.c-1608- s->shutdown |=
SSL_RECEIVED_SHUTDOWN;
openssl-3.0:ssl/record/rec_layer_s3.c-1609-
SSL3_RECORD_set_read(rr);
openssl-3.0:ssl/record/rec_layer_s3.c-1610-
SSL_CTX_remove_session(s->session_ctx, s->session);
openssl-3.0:ssl/record/rec_layer_s3.c-1611- return 0;
> > They're probably harmless, but I am sort of interested in what would make
> > these happen?
>
> Scans from researchers looking for obsolete features and implementation bugs.
That's highly plausible, but also possible, though much less likely,
some client actually trying to send mail had unsatisfied expectations of
the server's supported ciphers or certificate.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
