Re: "bad digest length:s3_both.c:239:" when sending to mail.vex.net?

Wed, 08 May 2013 11:02:26 -0700 

On Wed, May 08, 2013 at 07:24:03PM +0200, Jukka Salmi wrote:

> Funny, I was just going to report the probably same issue...
> 
> I can reproduce the problem on up-to-date Linux and FreeBSD systems, but
> not on a older NetBSD system:
> 
>     Linux/x86_64     Postfix 2.10.0    OpenSSL 1.0.1e
>     FreeBSD/amd64    Postfix 2.10.0    OpenSSL 1.0.1e
>     NetBSD/i386      Postfix 2.7.3     OpenSSL 0.9.9-dev
> 
> When sending several mails in succession, failure and success seem to
> alternate (i.e. exactly one failed handshake, then a successful one,
> then a failed one again, etc.).  And not using a TLS session cache for
> smtp(8) (smtp_tls_session_cache_database) seems to work around the
> problem.

Thanks, I can reproduce this also with cached sessions and OpenSSL 1.0.1e.

    $ posttls-finger -r 1 salmi.ch:587
    posttls-finger: Connected to rho.salmi.ch[178.63.9.175]:587
    posttls-finger: < 220 rho.salmi.ch ESMTP
    posttls-finger: > EHLO amnesiac
    posttls-finger: < 250-rho.salmi.ch
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-SIZE 10240000
    posttls-finger: < 250-ETRN
    posttls-finger: < 250-STARTTLS
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250 DSN
    posttls-finger: > STARTTLS
    posttls-finger: < 220 2.0.0 Ready to start TLS
    posttls-finger: rho.salmi.ch[178.63.9.175]:587 Matched CommonName 
rho.salmi.ch
    posttls-finger: certificate verification failed for 
rho.salmi.ch[178.63.9.175]:587: untrusted issuer /CN=Salmi CA/O=Salmi 
Certification Authority/OU=CA/emailAddress=c...@salmi.ch/C=CH/ST=BS/L=Basel
    posttls-finger: rho.salmi.ch[178.63.9.175]:587: subject_CN=rho.salmi.ch, 
issuer_CN=Salmi CA, 
fingerprint=FC:6B:AE:A0:AC:B5:88:9E:1F:4C:D2:3F:2B:90:BD:D6:2F:4E:81:09, 
pkey_fingerprint=69:9B:1D:C1:F4:CE:43:23:17:8D:09:6F:C4:4B:0D:A3:E0:A7:AF:64
    posttls-finger: Untrusted TLS connection established to 
rho.salmi.ch[178.63.9.175]:587: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 
bits)
    posttls-finger: > EHLO amnesiac
    posttls-finger: < 250-rho.salmi.ch
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-SIZE 10240000
    posttls-finger: < 250-ETRN
    posttls-finger: < 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250 DSN
    posttls-finger: > QUIT
    posttls-finger: < 221 2.0.0 Bye
    posttls-finger: Reconnecting after 1 seconds
    posttls-finger: < 220 rho.salmi.ch ESMTP
    posttls-finger: looking for session 
posttls-finger:[178.63.9.175]:587:5047F1BB983E07DEFDB7D1A973BC5FFD00A6C9735C2BB76A405107195320BB07
 in memory cache
    posttls-finger: reloaded session 
posttls-finger:[178.63.9.175]:587:5047F1BB983E07DEFDB7D1A973BC5FFD00A6C9735C2BB76A405107195320BB07
 from memory cache
    posttls-finger: SSL_connect error to rho.salmi.ch[178.63.9.175]:587: 0
    posttls-finger: warning: TLS library problem: 21961:error:1408C06F:SSL 
routines:SSL3_GET_FINISHED:bad digest length:s3_both.c:264:
    posttls-finger: remove session 
posttls-finger:[178.63.9.175]:587:5047F1BB983E07DEFDB7D1A973BC5FFD00A6C9735C2BB76A405107195320BB07
 from client cache

Indeed handshakes fail for resumed sessions.  What version of
Postfix and OpenSSL is installed on rho.salmi.ch?

-- 
        Viktor.

Reply via email to