Re: tls stopped working after update from 3.1.14 to 3.4.8

Mon, 24 Feb 2020 01:17:23 -0800 

hey,

On Monday, February 24, 2020 9:47:49 AM CET, Viktor Dukhovni wrote:

This looks like a client (or firewall, etc. in between) that does not
correctly support TLS 1.3.  What's new on your system is not Postfix 3.4,
but a sufficiently recent version of OpenSSL that has TLS 1.3 support.


i came to the same conclusion.

the thing is, if i do an "openssl s_client -starttls ..." from openssl 
1.1.0l, there is only a tls1.2 connection established:
Feb 24 09:50:02 mail postfix/smtpd[8086]: connect from 
reverse.hemathor.de[87.253.250.109]
Feb 24 09:50:02 mail postfix/smtpd[8086]: setting up TLS connection from 
reverse.hemathor.de[87.253.250.109]
Feb 24 09:50:02 mail postfix/smtpd[8086]: 
reverse.hemathor.de[87.253.250.109]: TLS cipher list 
"aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:before SSL 
initialization
Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:before SSL 
initialization
Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS read client 
hello
Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS write server 
hello
Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS write 
certificate
Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS write key 
exchange
Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS write server 
done
Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS write server 
done
Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS read client 
key exchange
Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS read change 
cipher spec
Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS read 
finished
Feb 24 09:50:02 mail postfix/smtpd[8086]: 
reverse.hemathor.de[87.253.250.109]: Issuing session ticket, key 
expiration: 1582535905
Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS write 
session ticket
Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS write change 
cipher spec
Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS write 
finished
Feb 24 09:50:02 mail postfix/smtpd[8086]: Anonymous TLS connection 
established from reverse.hemathor.de[87.253.250.109]: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb 24 09:50:14 mail postfix/smtpd[8086]: disconnect from 
reverse.hemathor.de[87.253.250.109] ehlo=1 starttls=1 quit=1 commands=3



whereas from the same box where postfix 3.4.8 is running, providing openssl 
1.1.1d, the starttls command fails to establish a tls1.3 connection with my 
public ip address:
Feb 24 09:59:51 sunflower postfix/smtpd[8185]: initializing the server-side 
TLS engine
Feb 24 09:59:51 sunflower postfix/smtpd[8185]: connect from 
reverse.hemathor.de[87.253.250.109]
Feb 24 09:59:51 sunflower postfix/smtpd[8185]: setting up TLS connection 
from reverse.hemathor.de[87.253.250.109]
Feb 24 09:59:51 sunflower postfix/smtpd[8185]: 
reverse.hemathor.de[87.253.250.109]: TLS cipher list 
"aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:before SSL 
initialization
Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:before SSL 
initialization
Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:SSLv3/TLS read 
client hello
Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:SSLv3/TLS write 
server hello
Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:SSLv3/TLS write 
change cipher spec
Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:TLSv1.3 write 
encrypted extensions
Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:SSLv3/TLS write 
certificate
Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:TLSv1.3 write 
server certificate verify
Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:SSLv3/TLS write 
finished
Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:TLSv1.3 early 
data
Feb 24 09:59:56 sunflower postfix/smtpd[8185]: SSL_accept:error in TLSv1.3 
early data
Feb 24 09:59:56 sunflower postfix/smtpd[8185]: SSL_accept error from 
reverse.hemathor.de[87.253.250.109]: lost connection
Feb 24 09:59:56 sunflower postfix/smtpd[8185]: lost connection after 
STARTTLS from reverse.hemathor.de[87.253.250.109]
Feb 24 09:59:56 sunflower postfix/smtpd[8185]: disconnect from 
reverse.hemathor.de[87.253.250.109] ehlo=1 starttls=0/1 commands=1/2



if i do a "openssl s_client -starttls -connect localhost:25" everything 
seems to work fine:
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: initializing the server-side 
TLS engine
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: connect from 
localhost.localdomain[127.0.0.1]
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: setting up TLS connection 
from localhost.localdomain[127.0.0.1]
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: 
localhost.localdomain[127.0.0.1]: TLS cipher list 
"aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: SSL_accept:before SSL 
initialization
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: SSL_accept:before SSL 
initialization
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: SSL_accept:SSLv3/TLS read 
client hello
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: SSL_accept:SSLv3/TLS write 
server hello
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: SSL_accept:SSLv3/TLS write 
change cipher spec
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: SSL_accept:TLSv1.3 write 
encrypted extensions
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: SSL_accept:SSLv3/TLS write 
certificate
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: SSL_accept:TLSv1.3 write 
server certificate verify
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: SSL_accept:SSLv3/TLS write 
finished
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: SSL_accept:TLSv1.3 early 
data
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: SSL_accept:TLSv1.3 early 
data
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: SSL_accept:SSLv3/TLS read 
finished
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: 
localhost.localdomain[127.0.0.1]: Issuing session ticket, key expiration: 
1582535905
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: 
localhost.localdomain[127.0.0.1]: save session 
A6A541AFF676317F23373D25CA5DA4903AC8DEF759A0875054B0E67C6AABEA83&s=smtp&l=269488207 
to smtpd cache
Feb 24 10:04:45 sunflower postfix/tlsmgr[8087]: put smtpd session 
id=A6A541AFF676317F23373D25CA5DA4903AC8DEF759A0875054B0E67C6AABEA83&s=smtp&l=269488207 
[data 136 bytes]
Feb 24 10:04:45 sunflower postfix/tlsmgr[8087]: write smtpd TLS cache entry 
A6A541AFF676317F23373D25CA5DA4903AC8DEF759A0875054B0E67C6AABEA83&s=smtp&l=269488207: 
time=1582535085 [data 136 bytes]
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: SSL_accept:SSLv3/TLS write 
session ticket
Feb 24 10:04:45 sunflower postfix/smtpd[8219]: Anonymous TLS connection 
established from localhost.localdomain[127.0.0.1]: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
RSA-PSS (4096 bits) server-digest SHA256
Feb 24 10:04:51 sunflower postfix/smtpd[8219]: disconnect from 
localhost.localdomain[127.0.0.1] ehlo=1 starttls=1 quit=1 commands=3




so, do i have a mim (aka router, firewall) which prevents a tls1.3 
connection to be established? and if so: why? my understanding is, that a 
router/firewall is not interested in the content (tls level and/or 
negotiation), but simply routes ip/tcp packet based on metadata, not 
content. or am i missing something?


greetings...






















					Reply via email to