Re: Postfix / OpenSSL signal 11 on delivery from ebay

Wietse Venema Sat, 21 Mar 2015 16:26:39 -0700

Wietse Venema:
> As with the OP, Postfix when built with MySQL client has zlib
> explicitly linked in (my earlier test was done on a system where
> MySQL by mistake wasn't included in the build).
> 
> Next step is to reproduce the smtpd crash.


It negotiates a zlib-compressed session without crashing, and this
is with libz linked into smtpd because of the mysql client.

This is with OpenSSL 1.0.1j from ports, installed per defaults.
Evidence is below the signature.

        Wietse

# /usr/local/bin/openssl s_client -connect localhost:25 -starttls smtp
WARNING: can't open config file: /usr/local/openssl/openssl.cnf
CONNECTED(00000003)
depth=1 C = US, ST = New York, O = Porcupine, CN = Wietse Venema, emailAddress 
= wie...@porcupine.org
verify error:num=19:self signed certificate in certificate chain
verify return:0
34381555576:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:184:
---
Certificate chain
 0 s:/C=US/ST=New 
York/O=Porcupine/CN=localhost/emailAddress=wie...@porcupine.org
   i:/C=US/ST=New York/O=Porcupine/CN=Wietse 
Venema/emailAddress=wie...@porcupine.org
 1 s:/C=US/ST=New York/O=Porcupine/CN=Wietse 
Venema/emailAddress=wie...@porcupine.org
   i:/C=US/ST=New York/O=Porcupine/CN=Wietse 
Venema/emailAddress=wie...@porcupine.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC1zCCAkCgAwIBAgIJAJv1m9sYZSv0MA0GCSqGSIb3DQEBBQUAMHExCzAJBgNV
BAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazESMBAGA1UEChMJUG9yY3VwaW5lMRYw
FAYDVQQDEw1XaWV0c2UgVmVuZW1hMSMwIQYJKoZIhvcNAQkBFhR3aWV0c2VAcG9y
Y3VwaW5lLm9yZzAeFw0xNTAzMjEyMzA2NDBaFw0xNjAzMjAyMzA2NDBaMG0xCzAJ
BgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazESMBAGA1UEChMJUG9yY3VwaW5l
MRIwEAYDVQQDEwlsb2NhbGhvc3QxIzAhBgkqhkiG9w0BCQEWFHdpZXRzZUBwb3Jj
dXBpbmUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMCumlrrK3dt4+
1vxt4K2yqfMScjHnr/xPUXXWlxERhtUd5LXkLxFsBcXEJVZ69m1EoezZz09OKBUw
FQ9ZAuBbrLvrHJaF6JB9Dz12yacT+2sNvsJFtvJQI4G2l2B1CipeIDkWCeBpDJs5
OuWfGQvT2MGl2hO/tFxVAOSCMtz9pQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCG
SAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E
FgQUhvYacbmRj3YXssA1cPQ5TrZcdzAwHwYDVR0jBBgwFoAUdPbTlqZnXmhFWsJ2
qlOfhkG8bE0wDQYJKoZIhvcNAQEFBQADgYEAIg8EVqmTBH2ZetXtro6V2fCzp7/L
a05QeINC5U/2D5y22cyFmKWm5BWe2zKoI35S7GPvuzhthcElwdlZ2YcT76A+sGUm
DuUSmXVHH+vJB/0WD9qMGPkGusRmsnTRbQST/gneSzM2B+c6w1NZTERh07AF522X
/TJ5UfdB7bjF+uE=
-----END CERTIFICATE-----
subject=/C=US/ST=New 
York/O=Porcupine/CN=localhost/emailAddress=wie...@porcupine.org
issuer=/C=US/ST=New York/O=Porcupine/CN=Wietse 
Venema/emailAddress=wie...@porcupine.org
---
No client certificate CA names sent
---
SSL handshake has read 2101 bytes and written 135 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
2F8F6504A661AAE565690DD564D7B5F7DC7797F7293A948B5414388538D94E055F8A4347D13CBB5CC04C9FCF830FFB83
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Compression: 1 (zlib compression)
    Start Time: 1426980074
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

# pkg query "%Ok %Ov" openssl
ASM on
DOCS on
EC on
GMP off
I386 off
MD2 on
PADLOCK off
RC5 off
RFC3779 off
SCTP on
SHARED on
SSE2 on
SSL2 on
SSL3 on
THREADS on
ZLIB on

# uname -a
FreeBSD freebsd101.porcupine.org 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: 
Tue Nov 11 21:02:49 UTC 2014     
r...@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

# ldd /usr/libexec/postfix/smtpd
/usr/libexec/postfix/smtpd:
        libpostfix-master.so => /usr/lib/postfix/libpostfix-master.so 
(0x80084c000)
        libpostfix-tls.so => /usr/lib/postfix/libpostfix-tls.so (0x800a55000)
        libpostfix-dns.so => /usr/lib/postfix/libpostfix-dns.so (0x800c6d000)
        libpostfix-global.so => /usr/lib/postfix/libpostfix-global.so 
(0x800e73000)
        libpostfix-util.so => /usr/lib/postfix/libpostfix-util.so (0x8010bd000)
        libssl.so.8 => /usr/local/lib/libssl.so.8 (0x8012ff000)
        libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x801567000)
        libsasl2.so.3 => /usr/local/lib/libsasl2.so.3 (0x80196b000)
        libcdb.so.1 => /usr/local/lib/libcdb.so.1 (0x801b86000)
        libldap-2.4.so.2 => /usr/local/lib/libldap-2.4.so.2 (0x801d89000)
        liblber-2.4.so.2 => /usr/local/lib/liblber-2.4.so.2 (0x801fcf000)
        liblmdb.so => /usr/local/lib/liblmdb.so (0x8021dd000)
        libmysqlclient.so.18 => /usr/local/lib/mysql/libmysqlclient.so.18 
(0x8023f0000)
        libz.so.6 => /lib/libz.so.6 (0x8029cd000)
        libm.so.5 => /lib/libm.so.5 (0x802be3000)
        libpq.so.5 => /usr/local/lib/libpq.so.5 (0x802e0b000)
        libsqlite3.so.0 => /usr/local/lib/libsqlite3.so.0 (0x803039000)
        libpcre.so.3 => /usr/local/lib/libpcre.so.3 (0x803339000)
        libicuuc.so.53 => /usr/local/lib/libicuuc.so.53 (0x8035ab000)
        libc.so.7 => /lib/libc.so.7 (0x803939000)
        libthr.so.3 => /lib/libthr.so.3 (0x803ce2000)
        libssl.so.7 => /usr/lib/libssl.so.7 (0x803f07000)
        libcrypto.so.7 => /lib/libcrypto.so.7 (0x804172000)
        libc++.so.1 => /usr/lib/libc++.so.1 (0x804565000)
        libcxxrt.so.1 => /lib/libcxxrt.so.1 (0x804825000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x804a41000)
        libintl.so.9 => /usr/local/lib/libintl.so.9 (0x804c4f000)
        libicudata.so.53 => /usr/local/lib/libicudata.so.53 (0x804e59000)

# cat /etc/postfix/makedefs.out
# Do not edit -- this file documents how Postfix was built for your machine.
#----------------------------------------------------------------
# Start of summary of user-configurable 'make makefiles' options.
# CCARGS=-DUSE_TLS -I/usr/local/include -DUSE_SASL_AUTH -DUSE_CYRUS_SASL 
-I/usr/local/include/sasl -DHAS_MEMCACHE -DHAS_CDB -I/usr/local/include 
-DHAS_LDAP -DHAS_LMDB -DHAS_MYSQL -I/usr/local/include/mysql -DHAS_PGSQL 
-I/usr/local/include/pgsql -DHAS_SQLITE
# AUXLIBS=-L/usr/local/lib -lssl -lcrypto -L/usr/local/lib -lsasl2 
-L/usr/local/lib -lcdb -L/usr/local/lib -lldap  -L/usr/local/lib -llber 
-L/usr/local/lib -llmdb -L/usr/local/lib/mysql -lmysqlclient -lz -lm 
-L/usr/local/lib -lpq -L/usr/local/lib -lsqlite3
# AUXLIBS_CDB=-L/usr/local/lib -lcdb
# AUXLIBS_LDAP=-L/usr/local/lib -lldap  -L/usr/local/lib -llber
# AUXLIBS_PGSQL=-L/usr/local/lib -lpq
# AUXLIBS_SQLITE=-L/usr/local/lib -lsqlite3
# AUXLIBS_LMDB=-L/usr/local/lib -llmdb
# AUXLIBS_MYSQL=-L/usr/local/lib/mysql -lmysqlclient -lz -lm
# shared=yes
# dynamicmaps=
# pie=
# End of summary of user-configurable 'make makefiles' options.
#--------------------------------------------------------------
# System-dependent settings and compiler/linker overrides.
[remainder of output omitted for brevity]

Re: Postfix / OpenSSL signal 11 on delivery from ebay

Reply via email to