On 2017.03.08. 17:53, Viktor Dukhovni wrote:
On Mar 8, 2017, at 5:51 AM, KSB <list...@ksb.id.lv> wrote:
After upgrading to postfix 3.1 (from 2.9), one of our clients said, it cannot
send mail anymore(he has OE6 on XP and said it's planned to upgrade, but not
now).
What we got in log's:
postfix/smtpd[16747]: connect from CLIENTIP
postfix/smtpd[16747]: setting up TLS connection from CLIENTIP
postfix/smtpd[16747]: CLIENTIP: TLS cipher list
"aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
postfix/smtpd[16747]: SSL_accept:before SSL initialization
postfix/smtpd[16747]: SSL_accept:before SSL initialization
postfix/smtpd[16747]: SSL3 alert write:fatal:handshake failure
postfix/smtpd[16747]: SSL_accept:error in error
postfix/smtpd[16747]: SSL_accept error from CLIENTIP: -1
postfix/smtpd[16747]: warning: TLS library problem: error:1417A0C1:SSL
routines:tls_post_process_client_hello:no shared
cipher:../ssl/statem/statem_srvr.c:1422:
I would expect XP systems to use RC4-SHA or RC4-MD5, both of which
are still included in the medium cipherlist, *provided* that the
OpenSSL library you're using still supports RC4. Did you happen
to also upgrade OpenSSL (not just Postfix)?
Post the output of:
$ openssl ciphers -v 'RSA+RC4'
$ openssl ciphers -v 'RSA+RC4'
Error in cipher list
140306525717696:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:../ssl/ssl_lib.c:2018:
So yes, I've upgraded OpenSSL as well. Now I see 2 possibilities:
1) downgrade to older OpenSSL < 1.1.0
2) recompile openssl with enable-weak-ssl-ciphers
Is it correct?
When I try to use RC4 to connect to your server, I get:
This is not relevant this time, as it's other server, but anyway thank
You for testing :)
--
KSB
