Re: tls stopped working after update from 3.1.14 to 3.4.8

Mon, 24 Feb 2020 00:49:00 -0800 

> 
> On Feb 24, 2020, at 2:27 AM, Michael <m...@hemathor.de> wrote:
> 
> Feb 22 08:50:07 mail postfix/smtpd[12952]: connect from 
> bendel.debian.org[82.195.75.100]
> Feb 22 08:50:07 mail postfix/smtpd[12952]: setting up TLS connection from 
> bendel.debian.org[82.195.75.100]
> Feb 22 08:50:07 mail postfix/smtpd[12952]: bendel.debian.org[82.195.75.100]: 
> TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:LOW:+RC4:@STRENGTH:!aNULL"
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL 
> initialization
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL 
> initialization
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS read client 
> hello
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write server 
> hello
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write change 
> cipher spec
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write encrypted 
> extensions
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write 
> certificate request
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write 
> certificate
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write server 
> certificate verify
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write finished
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 early data
> Feb 22 08:55:07 mail postfix/smtpd[12952]: SSL_accept:error in TLSv1.3 early 
> data
> Feb 22 08:55:07 mail postfix/smtpd[12952]: SSL_accept error from 
> bendel.debian.org[82.195.75.100]: lost connection
> Feb 22 08:55:08 mail postfix/smtpd[12952]: lost connection after STARTTLS 
> from bendel.debian.org[82.195.75.100]
> Feb 22 08:55:08 mail postfix/smtpd[12952]: disconnect from 
> bendel.debian.org[82.195.75.100] ehlo=1 starttls=0/1 commands=1/2

This looks like a client (or firewall, etc. in between) that does not
correctly support TLS 1.3.  What's new on your system is not Postfix 3.4,
but a sufficiently recent version of OpenSSL that has TLS 1.3 support.

The client appears to have just disconnected after the server's "finished"
message, with no TLS alert sent to indicate the nature of the problem.

You could try getting a PCAP file, and decode that, but with TLS 1.3,
a large fraction of the handshake is encrypted, debugging can be
more difficult.

Were TLS sessions failing from all senders or just particular systems?

-- 
-- 
        Viktor.

Reply via email to