Re: "bad digest length:s3_both.c:239:" when sending to mail.vex.net?

Wed, 08 May 2013 10:24:38 -0700 

Ralf Hildebrandt --> postfix-users (2013-05-08 09:28:11 +0200):
> Anybody seen this one before?
> 
> May  8 00:30:04 albatross postfix/smtp[29327]: SSL_connect error to 
> mail.vex.net[98.158.139.68]:25: 0
> May  8 00:30:04 albatross postfix/smtp[29327]: warning: TLS library problem: 
> 29327:error:1408C06F:SSL routines:SSL3_GET_FINISHED:bad digest 
> length:s3_both.c:239:
> May  8 00:30:04 albatross postfix/smtp[29327]: 3b4wVg5fKkz7LkB: Cannot start 
> TLS: handshake failure
> 
> Eventually the mail goes through without SSL:
> 
> May  8 00:30:05 albatross postfix/smtp[29327]: 3b4wVg5fKkz7LkB: 
> to=<mcxx...@vrplumber.com>, relay=mail.vex.net[98.158.139.68]:25,
> delay=1.6, delays=0.09/0/0.71/0.79, dsn=2.0.0, status=sent (250 2.0.0 Ok: 
> queued as F3D5B4A457FD)

Funny, I was just going to report the probably same issue...

I can reproduce the problem on up-to-date Linux and FreeBSD systems, but
not on a older NetBSD system:

    Linux/x86_64     Postfix 2.10.0    OpenSSL 1.0.1e
    FreeBSD/amd64    Postfix 2.10.0    OpenSSL 1.0.1e
    NetBSD/i386      Postfix 2.7.3     OpenSSL 0.9.9-dev

When sending several mails in succession, failure and success seem to
alternate (i.e. exactly one failed handshake, then a successful one,
then a failed one again, etc.).  And not using a TLS session cache for
smtp(8) (smtp_tls_session_cache_database) seems to work around the
problem.

I set smtp_tls_loglevel=2 and tried to reproduce the problem: [1]first
(successful) and [2]second (unsuccessful) attempt on the Linux system;
[3]first (successful) and [4]second (successful) attempt on the NetBSD
system.  Some more detailed information about OpenSSL versions used is
also [5]available.

It ssems to me that if the TLS session cache lookup succeeds, the TLS
handshake fails, and vice versa.  And for some reason, on the NetBSD
system where I never see the handshake failure the TLS session cache
lookup never succeeds.

Any hints?


Cheers, Jukka

[1] http://salmi.ch/~jukka/postfix/postfix_2.10.0_tls_init
[2] http://salmi.ch/~jukka/postfix/postfix_2.10.0_tls
[3] http://salmi.ch/~jukka/postfix/postfix_2.7.3_tls_init
[4] http://salmi.ch/~jukka/postfix/postfix_2.7.3_tls
[5] http://salmi.ch/~jukka/postfix/postfix_tls_infos

-- 
This email fills a much-needed gap in the archives.

Reply via email to