Re: Ubuntu 16.04lts & ssl unknown states

Viktor Dukhovni Thu, 03 Nov 2016 12:58:12 -0700

On Thu, Nov 03, 2016 at 06:05:50PM +0100, Florian Piekert wrote:

> Since there is no tlsproxy running at the moment (removed the modifications
> from Wietse and restarted pf, let's wait...?) I can't provide that output
> at the moment. Or do you have a suggestion how to get one up & running?


You could go back to the previous configuration, but read on...

> On the other hand, my pf is the snapshot from 1101 and not any longer the 
> default package that ubuntu delivered.
> 
> root@blueberry:/var/lib/postfix# l /usr/sbin/post*
> -rwxr-xr-x 1 root root      45160 Nov  1 22:04 /usr/sbin/postalias*
> -rwxr-xr-x 1 root root      34216 Nov  1 22:04 /usr/sbin/postcat*
> -rwxr-xr-x 1 root root     422752 Nov  1 22:04 /usr/sbin/postconf*
> -rwxr-sr-x 1 root postdrop  34504 Nov  1 22:04 /usr/sbin/postdrop*
> -rwxr-xr-x 1 root root      28960 Nov  1 22:04 /usr/sbin/postfix*
> -rwxr-xr-x 1 root root       5017 Apr 13  2016 /usr/sbin/postfix-add-filter*
> -rwxr-xr-x 1 root root       3923 Apr 13  2016 /usr/sbin/postfix-add-policy*
> -rwxr-xr-x 1 root root      37856 Okt 26  2014 /usr/sbin/postgrey*
> -rwxr-xr-x 1 root root      20696 Nov  1 22:04 /usr/sbin/postkick*
> -rwxr-xr-x 1 root root      22608 Nov  1 22:04 /usr/sbin/postlock*
> -rwxr-xr-x 1 root root      22384 Nov  1 22:04 /usr/sbin/postlog*
> -rwxr-xr-x 1 root root      48512 Nov  1 22:04 /usr/sbin/postmap*
> -rwxr-xr-x 1 root root      69928 Nov  1 22:04 /usr/sbin/postmulti*
> -rwxr-sr-x 1 root postdrop  54304 Nov  1 22:04 /usr/sbin/postqueue*
> -rwxr-xr-x 1 root root      60552 Nov  1 22:04 /usr/sbin/postsuper*
> -rwxr-xr-x 1 root root      34768 Apr 13  2016 /usr/sbin/posttls-finger*

Perhaps "posttls-finger" is left over from an earlier install? Did
you build and install Postfix from source?

The OpenSSL version looks typical enough, is that "/usr/bin/openssl"
or some other version?  What does "ldd" show for this binary?

    # openssl version -a
    OpenSSL 1.0.2g  1 Mar 2016
    built on: reproducible build, date unspecified
    platform: debian-amd64
    options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
    compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS 
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time 
-D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack 
-Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT 
-DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM 
-DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM 
-DGHASH_ASM -DECP_NISTZ256_ASM
    OPENSSLDIR: "/usr/lib/ssl"

Here we see that the same "unknown state" issue happens with Postfix
out of the picture.  Both for local connections and connections to
Gmail. So this should be pursued on a suitable Ubuntu forum.

    # (sleep 1; printf "quit\r\n") |
      openssl s_client -quiet -state -starttls smtp -connect localhost:25
      SSL_connect:before/connect initialization
      SSL_connect:SSLv2/v3 write client hello A
      SSL_connect:unknown state
      depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing 
Authority, emailAddress = supp...@cacert.org
      verify return:1
      depth=0 CN = yabba.dadd-do.de
      verify return:1
      SSL_connect:unknown state
      SSL_connect:unknown state
      SSL_connect:unknown state
      SSL_connect:unknown state
      SSL_connect:unknown state
      SSL_connect:unknown state
      SSL_connect:unknown state
      SSL_connect:unknown state
      SSL_connect:unknown state
      SSL_connect:unknown state
      SSL_connect:unknown state
      250 DSN
      221 2.0.0 Bye
      SSL3 alert read:warning:close notify
      SSL3 alert write:warning:close notify

    # (sleep 1; printf "quit\r\n") |
       openssl s_client -quiet -state -starttls smtp -connect smtp.gmail.com:587
      SSL_connect:before/connect initialization
      SSL_connect:SSLv2/v3 write client hello A
      SSL_connect:unknown state
      depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
      verify return:1
      depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
      verify return:1
      depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
      verify return:1
      depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = 
smtp.gmail.com
      verify return:1
      SSL_connect:unknown state
      SSL_connect:unknown state
      SSL_connect:unknown state
      SSL_connect:unknown state
      SSL_connect:unknown state
      SSL_connect:unknown state
      SSL_connect:unknown state
      SSL_connect:unknown state
      SSL_connect:unknown state
      250 SMTPUTF8
      221 2.0.0 closing connection g9sm9596385wjk.25 - gsmtp
      read:errno=0
      SSL3 alert write:warning:close notify
  
> postconf mail_version
> -> mail_version = 3.2-20161101

I very much doubt that Ubuntu shipped this Postfix version.  Looks
like you've built your own, and installed it on top of Ubuntu's
package.  That requires some care and skill.  You're typically
better off sticking with the bundled package or a "backport".

> root@blueberry:/etc/postfix# posttls-finger 
> posttls-finger: symbol lookup error: posttls-finger: undefined symbol: 
> midna_domain_to_ascii

Not surprising, that's left over from the Ubuntu package.

-- 
        Viktor.

Re: Ubuntu 16.04lts & ssl unknown states

Reply via email to