Re: tlsv1 alert decode error

Viktor Dukhovni Wed, 17 Sep 2014 13:43:43 -0700

On Mon, Sep 15, 2014 at 04:59:15PM +1000, shm...@riseup.net wrote:

> This server is using an EC cert not RSA eventually, The email gets sent
> in the clear any help appreciated.


The above is devoid of any technical content.  No help is possible.

    http://www.postfix.org/DEBUG_README.html#mail

> $ openssl s_client -cipher SSLv3 -starttls smtp -connect igwx10.cba.com.au:25
> Protocol  : TLSv1
>     Cipher    : DHE-RSA-AES256-SHA
> 
> why does it connect with TLS or is this because specifying SSLv3 allows
> anything above SSLv3 ?

Because "cipher SSLv3" is not the same as requiring the SSLv3
protocol, rather it limits the ciphers to those defined in SSLv3,
many of which are also defined with later protocol revisions.

> but openssl gives same result on a different computer
> 
> OpenSSL 1.0.1g 7 Apr 2014
> 
> $ openssl s_client -cipher SSLv3 -starttls smtp -connect igwx10.cba.com.au:25
> CONNECTED(00000003)
> 140155330672272:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
> alert decode error:s23_clnt.c:762:

The 1.0.1g client's HELLO message was not sucessfully decoded by
the server.  Perhaps a bug in 1.0.1g.

> postfix/smtp[11167]: initializing the client-side TLS engine
> postfix/smtp[11167]: setting up TLS connection to
> igwx10.cba.com.au[140.168.71.11]:25
> postfix/smtp[11167]: igwx10.cba.com.au[140.168.71.11]:25: TLS cipher list
> "!aNULL:!eNULL:!EXPORT:!MD5:!DES:!SRP:!DSS:!SEED:!ADH:!AECDH:!PSK:!LOW:ALL:@STRENGTH"

Where did this cipherlist come from?  It looks nothing like the
Postfix defaults.  Is this an attempt to work-around interoperability
issues with Exchange 2003 servers?

> postfix/smtp[11167]: warning: TLS library problem: error:1407741A:SSL
> routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:762:

Why are you asking about SSLv3?

> tls_high_cipherlist   = 
> !aNULL:!eNULL:!EXPORT:!MD5:!DES:!SRP:!DSS:!SEED:!ADH:!AECDH:!PSK:!LOW:ALL:@STRENGTH
> tls_medium_cipherlist = 
> !aNULL:!eNULL:!EXPORT:!MD5:!DES:!SRP:!DSS:!SEED:!ADH:!AECDH:!PSK:!LOW:ALL:@STRENGTH
> tls_low_cipherlist    = 
> !aNULL:!eNULL:!EXPORT:!MD5:!DES:!SRP:!DSS:!SEED:!ADH:!AECDH:!PSK:!LOW:ALL:@STRENGTH

You've made high == medium == low.  Why?  The ADH and AECDH ciphers
are a subset of the aNULL ciphers, no need to exclude them "again".

-- 
        Viktor.

Re: tlsv1 alert decode error

Reply via email to