On Wed, May 08, 2013 at 06:01:52PM +0000, Viktor Dukhovni wrote:
> posttls-finger: Untrusted TLS connection established to
> rho.salmi.ch[178.63.9.175]:587: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256
> bits)
> posttls-finger: Reconnecting after 1 seconds
> posttls-finger: < 220 rho.salmi.ch ESMTP
> posttls-finger: reloaded session
> posttls-finger:[178.63.9.175]:587:5047F1BB983E07DEFDB7D1A973BC5FFD00A6C9735C2BB76A405107195320BB07
> from memory cache
> posttls-finger: SSL_connect error to rho.salmi.ch[178.63.9.175]:587: 0
> posttls-finger: warning: TLS library problem: 21961:error:1408C06F:SSL
> routines:SSL3_GET_FINISHED:bad digest length:s3_both.c:264:
> posttls-finger: remove session
> posttls-finger:[178.63.9.175]:587:5047F1BB983E07DEFDB7D1A973BC5FFD00A6C9735C2BB76A405107195320BB07
> from client cache
>
> Indeed handshakes fail for resumed sessions. What version of
> Postfix and OpenSSL is installed on rho.salmi.ch?
When I try a server running Postfix (2.11-20130506-nonprod) and
OpenSSL 1.0.1e session resumption works. This appears to be a
server-side bug with resumed sessions. I'll take a look at wireshark
analysis later.
[ Wietse, I tweaked posttls-finger.c to disable TLSv1.1 and TLSv1.2 so
we're comparing apples to apples. Should probably add command-line
options for SSL protocol and cipher grade selection. ]
--- salmi.ch BROKEN ---
$ posttls-finger -c -L summary,cache -l may -r 1 salmi.ch:587
posttls-finger: Connected to rho.salmi.ch[178.63.9.175]:587
posttls-finger: looking for session
posttls-finger:[178.63.9.175]:587:AE46475F71CFFAC5C83C4144B57BA6BD3C22C1B7E91FD821DA2FF1B41671E6D1
in memory cache
posttls-finger: save session
posttls-finger:[178.63.9.175]:587:AE46475F71CFFAC5C83C4144B57BA6BD3C22C1B7E91FD821DA2FF1B41671E6D1
to memory cache
posttls-finger: Untrusted TLS connection established to
rho.salmi.ch[178.63.9.175]:587: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256
bits)
posttls-finger: Reconnecting after 1 seconds
posttls-finger: looking for session
posttls-finger:[178.63.9.175]:587:AE46475F71CFFAC5C83C4144B57BA6BD3C22C1B7E91FD821DA2FF1B41671E6D1
in memory cache
posttls-finger: reloaded session
posttls-finger:[178.63.9.175]:587:AE46475F71CFFAC5C83C4144B57BA6BD3C22C1B7E91FD821DA2FF1B41671E6D1
from memory cache
posttls-finger: SSL_connect error to rho.salmi.ch[178.63.9.175]:587: 0
posttls-finger: warning: TLS library problem: 62193:error:1408C06F:SSL
routines:ssl3_get_finished:bad digest length:s3_both.c:257:
posttls-finger: remove session
posttls-finger:[178.63.9.175]:587:AE46475F71CFFAC5C83C4144B57BA6BD3C22C1B7E91FD821DA2FF1B41671E6D1
from client cache
--- 127.0.0.1 OK ---
$ posttls-finger -c -l secure -L summary,cache -r 1 [127.0.0.1]:12345
posttls-finger: Connected to 127.0.0.1[127.0.0.1]:12345
posttls-finger: looking for session
posttls-finger:[127.0.0.1]:12345:E1BA8C896B9EB37E6D19D83149C4910B53929AC9EEDA7780D07A82697AE835C3
in memory cache
posttls-finger: save session
posttls-finger:[127.0.0.1]:12345:E1BA8C896B9EB37E6D19D83149C4910B53929AC9EEDA7780D07A82697AE835C3
to memory cache
posttls-finger: certificate verification failed for
127.0.0.1[127.0.0.1]:12345: self-signed certificate
posttls-finger: Untrusted TLS connection established to
127.0.0.1[127.0.0.1]:12345: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
posttls-finger: Reconnecting after 1 seconds
posttls-finger: looking for session
posttls-finger:[127.0.0.1]:12345:E1BA8C896B9EB37E6D19D83149C4910B53929AC9EEDA7780D07A82697AE835C3
in memory cache
posttls-finger: reloaded session
posttls-finger:[127.0.0.1]:12345:E1BA8C896B9EB37E6D19D83149C4910B53929AC9EEDA7780D07A82697AE835C3
from memory cache
posttls-finger: 127.0.0.1[127.0.0.1]:12345: Reusing old session
posttls-finger: 127.0.0.1[127.0.0.1]:12345: re-using session with untrusted
certificate, look for details earlier in the log
posttls-finger: Untrusted TLS connection established to
127.0.0.1[127.0.0.1]:12345: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
posttls-finger: Found a previously used server. Done reconnecting.
--
Viktor.
