On Wed, May 08, 2013 at 11:49:53PM +0000, Viktor Dukhovni wrote:
> The encrypted finished message from rho.salmi.ch is 32 bytes, with gdb we see
> that the first four bytes decrypt to:
>
> "0x14 0x00 0x00 0x00" + [(type 20, length 0)]
> 0 bytes finished +
> 20 bytes SHA = 24 bytes +
> AES padding = 32.
>
> So this server generated an empty SSL "finished" message. Can't
> say why, but this is definitely not right, and appears to be
> something special about this server.
Using an OpenSSL library compiled with "no-tlsext" hides the problem,
as the server no longer resumes any sessions. Most likely the
server has a broken implementation of "session tickets".
I would not recommend disabling tls extensions as a solution, the
problem server is unlikely to represent a large fraction of the
SMTP server population.
If necessary, one can create a clone of the smtp transport that
has no client TLS session cache and route problem destinations via
the custom transport.
master.cf:
smtp unix - - n - - smtp
tlsbug unix - - n - - smtp
-o smtp_tls_session_cache_database=
transport:
salmi.ch tlsbug:salmi.ch:587
If "salmi.ch:587" is the OP's relayhost, then all off-site mail goes there,
and the custom transport is not needed, just set:
main.cf:
relayhost = salmi.ch:587
# The relayhost's server session cache is broken, disable the client
cache.
smtp_tls_session_cache_database =
--
Viktor.
