On Thu, Jul 11, 2013 at 03:54:37PM +, Viktor Dukhovni wrote:
> Therefore, disable SSLv2 in the Postfix client, and you'll almost
> never see this issue. (You could run into it if a server decided
> to renew a ticket, but this is rather unlikely, almost certainly
> no SMTP servers have code fo
On Thu, Jul 11, 2013 at 05:18:09PM +0200, Stefan Jakobs wrote:
> Now I get it. Thank you Viktor for walking me through this.
Note that if you disable "SSLv2" as recommended for a long time
time now:
smtp_tls_protocols = !SSLv2
smtp_tls_mandatory_protocols = !SSLv2
you may well f
On Thu, Jul 11, 2013 at 05:18:09PM +0200, Stefan Jakobs wrote:
> > So 0.9.8j does not implement session tickets correctly. With Postfix
> > 2.11 you can add:
> >
> > tls_ssl_options = NO_TICKET
> >
> > to main.cf to work-around this specific problem, without disabling
> > TLSv1, but I would
Viktor Dukhovni wrote:
> On Thu, Jul 11, 2013 at 04:55:00PM +0200, Stefan Jakobs wrote:
[...]
> So 0.9.8j does not implement session tickets correctly. With Postfix
> 2.11 you can add:
>
> tls_ssl_options = NO_TICKET
>
> to main.cf to work-around this specific problem, without disabling
>
On Thu, Jul 11, 2013 at 04:55:00PM +0200, Stefan Jakobs wrote:
> > > SSL_connect:error in SSLv3 read server hello A
> > > 13820:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> >
> > > number:s3_pkt.c:281:
> >
> > Unfortunately, the "reconnect" code in s_client (at least with
> > 0.9.8
Viktor Dukhovni wrote:
> On Thu, Jul 11, 2013 at 01:47:09PM +0200, Stefan Jakobs wrote:
> > $ openssl s_client -no_ssl2 -reconnect -starttls smtp -state -cipher \
> >
> > "ALL:+RC4:@STRENGTH" -connect server.example.com:25
> >
> > 250 DSN
> > drop connection and then reconnect
> > SSL3 alert w
On Thu, Jul 11, 2013 at 01:48:01PM +, Viktor Dukhovni wrote:
> Unfortunately, the "reconnect" code in s_client (at least with
> 0.9.8j) forgets to do SMTP "STARTTLS", so this fails because
> "220 hostname" is not an SSL server HELO.
Fix reported in 2008, not yet applied:
https://rt.openssl.o
On Thu, Jul 11, 2013 at 01:47:09PM +0200, Stefan Jakobs wrote:
> $ openssl s_client -no_ssl2 -reconnect -starttls smtp -state -cipher \
> "ALL:+RC4:@STRENGTH" -connect server.example.com:25
> 250 DSN
> drop connection and then reconnect
> SSL3 alert write:warning:close notify
> CONNECTED(000
Am Mittwoch, 10. Juli 2013, 18:32:32 schrieb Viktor Dukhovni:
> On Wed, Jul 10, 2013 at 05:21:38PM +0200, Stefan Jakobs wrote:
> > I attached a full trace with a successful TLS session, an unsuccessful TLS
> > session and the following fallback to a clear session.
> > The trace looks wrong. I'm not
On Wed, Jul 10, 2013 at 05:21:38PM +0200, Stefan Jakobs wrote:
> I attached a full trace with a successful TLS session, an unsuccessful TLS
> session and the following fallback to a clear session.
> The trace looks wrong. I'm not sure I decrypted it proper.
The capture file includes only the pac
Viktor Dukhovni wrote:
> On Tue, Jul 09, 2013 at 04:10:31PM +0200, Stefan Jakobs wrote:
> > postfix/smtp[8106]: setting up TLS connection to
> > server.example.com[a.b.c.d]:25
> > postfix/smtp[8106]: SSL_connect error to server.example.com[a.b.c.d]:25:
> > -1 postfix/smtp[8106]: warning: TLS librar
On Tue, Jul 09, 2013 at 04:10:31PM +0200, Stefan Jakobs wrote:
> postfix/smtp[8106]: setting up TLS connection to
> server.example.com[a.b.c.d]:25
> postfix/smtp[8106]: SSL_connect error to server.example.com[a.b.c.d]:25: -1
> postfix/smtp[8106]: warning: TLS library problem: 8106:error:1408E0F4:
On Jul 9, 2013, at 16:10, Stefan Jakobs wrote:
> Postfix logs the following in my logs:
>
> postfix/smtp[8106]: setting up TLS connection to
> server.example.com[a.b.c.d]:25
> postfix/smtp[8106]: SSL_connect error to server.example.com[a.b.c.d]:25: -1
> postfix/smtp[8106]: warning: TLS library
13 matches
Mail list logo