Viktor Dukhovni: > On Thu, Apr 12, 2012 at 02:59:05PM +0200, Ralf Hildebrandt wrote: > > > * Wietse Venema <wie...@porcupine.org>: > > > "openssl s_client" sessions fail identically with 77.43.17.211 > > > and 81.252.237.162. > > > > > > % openssl s_client -starttls smtp -connect 77.43.17.211:25 > > > ... > > > 250 OK > > > ehlo spike.porcupine.org > > > > > My results are different, perhaps they've already fixed something ... > > $ /usr/sbin/sendmail -f post...@dukhovni.org -bv postmaster@[82.135.27.153] ... > Note that the cipher is RC4-MD5 (more typical of Windows), not 3DES > (which had a history of issues on older Windows systems, perhaps > never addressed). I don't know why the system in question would have > in Ralf's case agreed to 3DES, rather than RC4-MD5.
openssl s_client uses RC4-MD5 here, and still hangs after ehlo. This is "OpenSSL 0.9.8q 2 Dec 2010" on FreeBSD. I don't use SSL on this machine so I don't care if the implementation is old. Wietse % openssl s_client -starttls smtp -connect 77.43.17.211:25 depth=1 /C=US/O=GeoTrust, Inc./CN=RapidSSL CA verify error:num=20:unable to get local issuer certificate verify return:0 CONNECTED(00000003) --- Certificate chain 0 s:/serialNumber=XGTbH8gT6gIJRZsE/Y/zjnPUd1lsJgqj/C=IT/O=*.seronosymposia.org/OU=GT20020846/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=*.seronosymposia.org i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA --- Server certificate -----BEGIN CERTIFICATE----- MIIEbTCCA1WgAwIBAgIDAa7oMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew HhcNMTEwNTExMDk1MzI5WhcNMTIwODEyMDM1NjQ4WjCB7zEpMCcGA1UEBRMgWEdU Ykg4Z1Q2Z0lKUlpzRS9ZL3pqblBVZDFsc0pncWoxCzAJBgNVBAYTAklUMR0wGwYD VQQKDBQqLnNlcm9ub3N5bXBvc2lhLm9yZzETMBEGA1UECxMKR1QyMDAyMDg0NjEx MC8GA1UECxMoU2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykx MTEvMC0GA1UECxMmRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gUmFwaWRTU0wo UikxHTAbBgNVBAMMFCouc2Vyb25vc3ltcG9zaWEub3JnMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCvGPCsC4IzFhrXK63hXLN1SdbjaAckbpMpSotMt2jUrbWB P60ePYk7C4Y9pM9kLpg55oS1Ka32gn1Uk/fPSTFxGcbyO+Wlev9py/mq+98aihlf 7ibv22R1NYVhut//NNJPFxKdYM1U4jQuTMP2w+Gdnaupw54VxumoCPGaTp7dewID AQABo4IBRjCCAUIwHwYDVR0jBBgwFoAUa2k9ahhCSt2PAmU5/TUkhniRFjAwDgYD VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAzBgNV HREELDAqghQqLnNlcm9ub3N5bXBvc2lhLm9yZ4ISc2Vyb25vc3ltcG9zaWEub3Jn MEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3Qu Y29tL2NybHMvcmFwaWRzc2wuY3JsMB0GA1UdDgQWBBSnC7Dsz/C5kOUKrlgr1Uxa OQbVTDAMBgNVHRMBAf8EAjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYt aHR0cDovL3JhcGlkc3NsLWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0G CSqGSIb3DQEBBQUAA4IBAQCopW1tFMdiahh5nO3jkcW57RjFEf+PKjwsCrza+IrJ H3Ahn9ZzZhDPph7tFm2UnnpLDtR05nlLfSocgAnhqp2PwCR8BVs3ixGC4YkOC9Ep Rm51YtNIWuH8VIfUr2b5g7l+saqtx36B5ttIQtxd7zxAy07U2lQ/8Utll73Hads8 E0OiSOuxo14uU54I1Dc4DV7NZqg+c64YeP6Z4634BH4hIKhDIaUqmBRmr5X5qzFM hZhBlYLyb5zL6EX36BO6OXAuYIS+gcbBGVr7251Tw+3NWzuBzDLBNcaCBofQhJF9 U+dS31gos2orKYzaI6+2oqnMsVxhmNdIAI9Vt75OE6Qw -----END CERTIFICATE----- subject=/serialNumber=XGTbH8gT6gIJRZsE/Y/zjnPUd1lsJgqj/C=IT/O=*.seronosymposia.org/OU=GT20020846/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=*.seronosymposia.org issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA --- No client certificate CA names sent --- SSL handshake has read 2771 bytes and written 356 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: 571600004D20C6C28B990D92E265F59B76E98A94AF02C2D248946415E753DB63 Session-ID-ctx: Master-Key: 1B0438D59E05BA2DEDB7C5070856FC879204207121FE346D2FD6B38A6436294889392F90E63D70AD7F8E981783F7CD70 Key-Arg : None Start Time: 1334239673 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- 250 OK EHLO spike.porcupine.org