On Wed, May 08, 2013 at 06:54:01PM +0530, Vijay Rajah wrote:
> I think this is an openssl bug...
>
> FYI: http://www.mail-archive.com/openssl-dev@openssl.org/msg28217.html
That bug is a bug in DTLS, which is quite different from regular
TLS, so it need not be the same issue.
> > May 8 00:30:04 albatross postfix/smtp[29327]: SSL_connect error to
> > mail.vex.net[98.158.139.68]:25: 0
> > May 8 00:30:04 albatross postfix/smtp[29327]: warning: TLS library
> > problem: 29327:error:1408C06F:SSL routines:SSL3_GET_FINISHED:bad digest
> > length:s3_both.c:239:
> > May 8 00:30:04 albatross postfix/smtp[29327]: 3b4wVg5fKkz7LkB: Cannot
> > start TLS: handshake failure
Does this happen consistently, or intermittently?
Can you reproduce this with:
openssl s_client \
-cipher $(postconf -xh tls_export_cipher_list) \
-sslv2 \
-starttls smtp -connect mail.vex.net:25
Can you report the output of "openssl version -a"? And any
non-default postconf settings that tweak SSL protocol or cipher
selection.
If you capture a full packet dump and apply wireshark, it may shed
light on the handshake details. The client thinks the TLS finished
message has the wrong length, this feels like a problematic
interaction with TLSv1.2, but you're running 1.0.0x I think, which
has no TLSv1.2 support...
--
Viktor.
