Re: Ubuntu 16.04lts & ssl unknown states

Florian Piekert Thu, 03 Nov 2016 10:07:17 -0700

Am 03.11.2016 um 17:29 schrieb Viktor Dukhovni:

Hello Viktor, Wietse and everybody,


since there is no tlsproxy running at the moment (removed the modifications 
from Wietse and restarted pf, let's wait...?) I can't provide that output at 
the moment. Or do you have a suggestion how to get one up & running? I have a 
proxymap up sometimes...

But maybe the attached txt file providing what I could provide helps in 
understanding...? Especially the missing symbol aspect of posttls-finger?

On the other hand, my pf is the snapshot from 1101 and not any longer the 
default package that ubuntu delivered.

root@blueberry:/var/lib/postfix# l /usr/sbin/post*
-rwxr-xr-x 1 root root      45160 Nov  1 22:04 /usr/sbin/postalias*
-rwxr-xr-x 1 root root      34216 Nov  1 22:04 /usr/sbin/postcat*
-rwxr-xr-x 1 root root     422752 Nov  1 22:04 /usr/sbin/postconf*
-rwxr-sr-x 1 root postdrop  34504 Nov  1 22:04 /usr/sbin/postdrop*
-rwxr-xr-x 1 root root      28960 Nov  1 22:04 /usr/sbin/postfix*
-rwxr-xr-x 1 root root       5017 Apr 13  2016 /usr/sbin/postfix-add-filter*
-rwxr-xr-x 1 root root       3923 Apr 13  2016 /usr/sbin/postfix-add-policy*
-rwxr-xr-x 1 root root      37856 Okt 26  2014 /usr/sbin/postgrey*
-rwxr-xr-x 1 root root      20696 Nov  1 22:04 /usr/sbin/postkick*
-rwxr-xr-x 1 root root      22608 Nov  1 22:04 /usr/sbin/postlock*
-rwxr-xr-x 1 root root      22384 Nov  1 22:04 /usr/sbin/postlog*
-rwxr-xr-x 1 root root      48512 Nov  1 22:04 /usr/sbin/postmap*
-rwxr-xr-x 1 root root      69928 Nov  1 22:04 /usr/sbin/postmulti*
-rwxr-sr-x 1 root postdrop  54304 Nov  1 22:04 /usr/sbin/postqueue*
-rwxr-xr-x 1 root root      60552 Nov  1 22:04 /usr/sbin/postsuper*
-rwxr-xr-x 1 root root      34768 Apr 13  2016 /usr/sbin/posttls-finger*

That explains the difference of the file dates.

> openssl version -a
>       # (sleep 1; printf "quit\r\n") |
>           openssl s_client -quiet -state -starttls smtp -connect localhost:25
>       # (sleep 1; printf "quit\r\n") |
>           openssl s_client -quiet -state -starttls smtp -connect 
> smtp.gmail.com:587
> 
>       # postconf mail_version
>       # ldd /usr/sbin/posttls-finger  # IIRC Ubuntu ships it
> 
>       # pid=8057                      # actual pid here
>       # cat /proc/$pid/maps
>       # ldd /proc/$pid/exe
>       # grep "tlsproxy/\[$pid\]" /var/log/mail.log | tail
> 
>       [ These should work, but Ubuntu may have packaged Postfix in
>         some way that makes it otherwise: ]
> 
>       # d=$(/var/tmp/postfix/sbin/postconf -xh meta_directory)

I don't have that directory btw.

>       # cat $d/makedefs.out

Cheers,
Florian

===========================================================================
Note:  this message was  send by me *only* if the  eMail message contains a
correct pgp signature corresponding to my address at  flo...@floppy.org. Do
you need my  PGP  public key? Check out http://www.floppy.org or send me an
email with  the subject "send pgp public key" to this address of mine. Thx!

openssl version -a
-> root@blueberry:/var/lib/postfix# openssl version -a
OpenSSL 1.0.2g  1 Mar 2016
built on: reproducible build, date unspecified
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS 
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time 
-D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack 
-Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT 
-DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM 
-DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM 
-DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/lib/ssl"


(sleep 1; printf "quit\r\n") |
 openssl s_client -quiet -state -starttls smtp -connect localhost:25
 ->
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:unknown state
depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing 
Authority, emailAddress = supp...@cacert.org
verify return:1
depth=0 CN = yabba.dadd-do.de
verify return:1
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
250 DSN
221 2.0.0 Bye
SSL3 alert read:warning:close notify
SSL3 alert write:warning:close notify


(sleep 1; printf "quit\r\n") |
 openssl s_client -quiet -state -starttls smtp -connect smtp.gmail.com:587
->
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:unknown state
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = 
smtp.gmail.com
verify return:1
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
250 SMTPUTF8
221 2.0.0 closing connection g9sm9596385wjk.25 - gsmtp
read:errno=0
SSL3 alert write:warning:close notify


postconf mail_version
-> mail_version = 3.2-20161101

root@blueberry:/etc/postfix# posttls-finger 
posttls-finger: symbol lookup error: posttls-finger: undefined symbol: 
midna_domain_to_ascii


ldd /usr/sbin/posttls-finger
-> root@blueberry:/etc/postfix# ldd /usr/sbin/posttls-finger 
        linux-vdso.so.1 =>  (0x00007ffe8efc9000)
        libpostfix-tls.so.1 => /usr/lib/postfix/libpostfix-tls.so.1 
(0x00007fcb97aef000)
        libpostfix-dns.so.1 => /usr/lib/postfix/libpostfix-dns.so.1 
(0x00007fcb978e8000)
        libpostfix-global.so.1 => /usr/lib/postfix/libpostfix-global.so.1 
(0x00007fcb976a4000)
        libpostfix-util.so.1 => /usr/lib/postfix/libpostfix-util.so.1 
(0x00007fcb97465000)
        libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 
(0x00007fcb971f4000)
        libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 
(0x00007fcb96daf000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 
(0x00007fcb96b92000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcb967c9000)
        libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 
(0x00007fcb965ad000)
        libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007fcb96394000)
        libdb-5.3.so => /usr/lib/x86_64-linux-gnu/libdb-5.3.so 
(0x00007fcb95fe7000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fcb95de2000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fcb97f12000)


pid=8057
cat /proc/$pid/maps
ldd /proc/$pid/exe
grep "tlsproxy/\[$pid\]" /var/log/mail/mail.log | tail

d=$(/var/tmp/postfix/sbin/postconf -xh meta_directory)
cat $d/makedefs.out

signature.asc
Description: OpenPGP digital signature

Re: Ubuntu 16.04lts & ssl unknown states

Reply via email to