Re: "bad digest length:s3_both.c:239:" when sending to mail.vex.net?

[Ralf Hildebrandt]

* Viktor Dukhovni <postfix-users@postfix.org>:

> Does this happen consistently, or intermittently?

consistently 
 
> Can you reproduce this with:
> 
>     openssl s_client \
>       -cipher $(postconf -xh tls_export_cipher_list) \
>       -sslv2 \
>       -starttls smtp -connect mail.vex.net:25

# openssl s_client \
         -cipher $(postconf -xh tls_export_cipher_list) \
         -sslv2 \
         -starttls smtp -connect mail.vex.net:25
postconf: warning: tls_export_cipher_list: unknown parameter
error setting cipher list
8599:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher
match:ssl_lib.c:1218:

> Can you report the output of "openssl version -a"?

# openssl version -a
OpenSSL 0.9.8o 01 Jun 2010
built on: Mon Feb 11 21:27:58 UTC 2013
platform: debian-i386-i686/cmov
options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long)
blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3
-march=i686 -Wa,--noexecstack -g -Wall -DOPENSSL_BN_ASM_PART_WORDS
-DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: "/usr/lib/ssl"

> And any non-default postconf settings that tweak SSL protocol or cipher
> selection.

root@albatross:~# postconf -n |grep ssl 
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_cert_file = /etc/ssl/certs/mail.python.org.pem
smtpd_tls_key_file = /etc/ssl/private/mail.python.org.key.pem
root@albatross:~# postconf -n |grep tls
smtp_tls_loglevel = 1
smtp_tls_policy_maps = cdb:/etc/postfix/tls-policy
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_sessions
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_ask_ccert = no
smtpd_tls_cert_file = /etc/ssl/certs/mail.python.org.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_key_file = /etc/ssl/private/mail.python.org.key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_sessions

> If you capture a full packet dump and apply wireshark, it may shed
> light on the handshake details.  The client thinks the TLS finished
> message has the wrong length, this feels like a problematic
> interaction with TLSv1.2, but you're running 1.0.0x I think, which
> has no TLSv1.2 support...
> 
> -- 
>       Viktor.

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein