Re: tls stopped working after update from 3.1.14 to 3.4.8

Mon, 24 Feb 2020 05:05:00 -0800 


On February 24, 2020 8:47:49 AM UTC, Viktor Dukhovni 
<postfix-us...@dukhovni.org> wrote:
>> 
>> On Feb 24, 2020, at 2:27 AM, Michael <m...@hemathor.de> wrote:
>> 
>> Feb 22 08:50:07 mail postfix/smtpd[12952]: connect from
>bendel.debian.org[82.195.75.100]
>> Feb 22 08:50:07 mail postfix/smtpd[12952]: setting up TLS connection
>from bendel.debian.org[82.195.75.100]
>> Feb 22 08:50:07 mail postfix/smtpd[12952]:
>bendel.debian.org[82.195.75.100]: TLS cipher list
>"aNULL:-aNULL:HIGH:MEDIUM:LOW:+RC4:@STRENGTH:!aNULL"
>> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL
>initialization
>> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL
>initialization
>> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS read
>client hello
>> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write
>server hello
>> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write
>change cipher spec
>> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write
>encrypted extensions
>> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write
>certificate request
>> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write
>certificate
>> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write
>server certificate verify
>> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write
>finished
>> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 early
>data
>> Feb 22 08:55:07 mail postfix/smtpd[12952]: SSL_accept:error in
>TLSv1.3 early data
>> Feb 22 08:55:07 mail postfix/smtpd[12952]: SSL_accept error from
>bendel.debian.org[82.195.75.100]: lost connection
>> Feb 22 08:55:08 mail postfix/smtpd[12952]: lost connection after
>STARTTLS from bendel.debian.org[82.195.75.100]
>> Feb 22 08:55:08 mail postfix/smtpd[12952]: disconnect from
>bendel.debian.org[82.195.75.100] ehlo=1 starttls=0/1 commands=1/2
>
>This looks like a client (or firewall, etc. in between) that does not
>correctly support TLS 1.3.  What's new on your system is not Postfix
>3.4,
>but a sufficiently recent version of OpenSSL that has TLS 1.3 support.
>
>The client appears to have just disconnected after the server's
>"finished"
>message, with no TLS alert sent to indicate the nature of the problem.
>
>You could try getting a PCAP file, and decode that, but with TLS 1.3,
>a large fraction of the handshake is encrypted, debugging can be
>more difficult.
>
>Were TLS sessions failing from all senders or just particular systems?

Since the host in the example is a Debian mail server (it hosts the project 
mailing lists), I checked.  It's running Debian 10 (same as the OP) using 
Postfix 3.4 (.6, .7, or .8 depending on when it was last updated), so it should 
support TLS 1.3 with no problem (I don't have access to the Postfix or Openssl 
configuration, so in theory it could have been manually disabled).  That points 
to your "or something in between" theory.  Since it appears to be all hosts, 
I'd guess something very nearby the OP's system.

Scott K






















					Reply via email to