On Thu, Jul 11, 2013 at 04:55:00PM +0200, Stefan Jakobs wrote:
> > > SSL_connect:error in SSLv3 read server hello A
> > > 13820:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> >
> > > number:s3_pkt.c:281:
> >
> > Unfortunately, the "reconnect" code in s_client (at least with
> > 0.9.8j) forgets to do SMTP "STARTTLS", so this fails because
> > "220 hostname" is not an SSL server HELO.
> >
> > A better diagnostic utility is available with the latest Postfix
> > 2.11 snapshot. You don't need to install it (no need to upgrade
> > to Postfix 2.11), just compile postfix-2.11-20130710 with TLS
> > support and run:
> >
> > ./bin/posttls-finger -p "" -lmay -Lsummary,cache,debug -r 1 \
> > "[server.example.com]"
> >
> > This will report more useful results.
>
> $ posttls-finger -p "" -lmay -Lsummary,cache,debug -r 1 "[aa.bb.cc.dd]"
> posttls-finger: initializing the client-side TLS engine
> posttls-finger: Connected to aa.bb.cc.dd[aa.bb.cc.dd]:25
> posttls-finger: < 220 server.example.com ESMTP Postfix (Ubuntu)
> posttls-finger: > STARTTLS
> posttls-finger: < 220 2.0.0 Ready to start TLS
> posttls-finger: setting up TLS connection to aa.bb.cc.dd[aa.bb.cc.dd]:25
> posttls-finger: aa.bb.cc.dd[aa.bb.cc.dd]:25: TLS cipher list
> "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!eNULL"
> posttls-finger: SSL_connect:before/connect initialization
> posttls-finger: SSL_connect:SSLv2/v3 write client hello A
> posttls-finger: SSL_connect:SSLv3 read server hello A
> posttls-finger: SSL_connect:SSLv3 read server key exchange A
> posttls-finger: SSL_connect:SSLv3 read server done A
> posttls-finger: SSL_connect:SSLv3 write client key exchange A
> posttls-finger: SSL_connect:SSLv3 write change cipher spec A
> posttls-finger: SSL_connect:SSLv3 write finished A
> posttls-finger: SSL_connect:SSLv3 flush data
> posttls-finger: SSL_connect:SSLv3 read finished A
> posttls-finger: save session
> [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
> to memory cache
> posttls-finger: Untrusted TLS connection established to
> aa.bb.cc.dd[aa.bb.cc.dd]:25: TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256
> bits)
> posttls-finger: Reconnecting after 1 seconds
> posttls-finger: < 220 server.example.com ESMTP Postfix (Ubuntu)
> posttls-finger: looking for session
> [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
> in memory cache
> posttls-finger: reloaded session
> [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
> from memory cache
> posttls-finger: SSL_connect:before/connect initialization
> posttls-finger: SSL_connect:SSLv3 write client hello A
> posttls-finger: SSL_connect:SSLv3 read server hello A
> posttls-finger: SSL3 alert write:fatal:unexpected_message
> posttls-finger: SSL_connect:error in SSLv3 read finished A
> posttls-finger: SSL_connect error to aa.bb.cc.dd[aa.bb.cc.dd]:25: -1
> posttls-finger: warning: TLS library problem: 18630:error:1408E0F4:SSL
> routines:SSL3_GET_MESSAGE:unexpected message:s3_both.c:463:
> posttls-finger: remove session
> [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
> from client cache
This tells the whole story, the client does not expect to see a
session ticket with a resumed session, it expectts "finished"
instead. It is I believe valid for a server to return a session
ticket even with a resumed session.
So 0.9.8j does not implement session tickets correctly. With Postfix
2.11 you can add:
tls_ssl_options = NO_TICKET
to main.cf to work-around this specific problem, without disabling
TLSv1, but I would upgrade to the latest OpenSSL release instead.
Install an updated OpenSSL library from SuSE.
> > The simplest work-around for the problem is to disable TLSv1 on
> > your 0.9.8j machine, since it seems to not handle the session
> > ticket extension correctly. This is not a long-term fix, you
> > really should upgrade to 0.9.8y or later, which likely does not
> > have this problem.
> >
> > main.cf:
> > # Disable SSLv2 and TLSv1, the latter until session ticket
> > # support works in the local SSL library.
> > #
> > smtp_tls_protocols = !SSLv2, !TLSv1
> > smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
>
> I would assume that I can test it with s_client:
I will repeat myself (text you quoted in your reply):
> > Unfortunately, the "reconnect" code in s_client (at least with
> > 0.9.8j) forgets to do SMTP "STARTTLS", so this fails because
> > "220 hostname" is not an SSL server HELO.
Therefore, no, you can't test this with an unpatched s_client(1).
> drop connection and then reconnect
Because reconnect is broken with starttls.
> SSL3 alert write:warning:close notify
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv3 write client hello A
> SSL3 alert write:fatal:handshake failure
> SSL_connect:error in SSLv3 read server hello A
> 21731:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:281:
>
> But, there's still the error.
As expected.
--
Viktor.
