Re: SSL3_GET_MESSAGE:unexpected message (thanks)

2013-07-11 Thread Viktor Dukhovni
On Thu, Jul 11, 2013 at 03:54:37PM +, Viktor Dukhovni wrote: > Therefore, disable SSLv2 in the Postfix client, and you'll almost > never see this issue. (You could run into it if a server decided > to renew a ticket, but this is rather unlikely, almost certainly > no SMTP servers have code fo

Re: SSL3_GET_MESSAGE:unexpected message (thanks)

2013-07-11 Thread Viktor Dukhovni
On Thu, Jul 11, 2013 at 05:18:09PM +0200, Stefan Jakobs wrote: > Now I get it. Thank you Viktor for walking me through this. Note that if you disable "SSLv2" as recommended for a long time time now: smtp_tls_protocols = !SSLv2 smtp_tls_mandatory_protocols = !SSLv2 you may well f

Re: SSL3_GET_MESSAGE:unexpected message (thanks)

2013-07-11 Thread Viktor Dukhovni
On Thu, Jul 11, 2013 at 05:18:09PM +0200, Stefan Jakobs wrote: > > So 0.9.8j does not implement session tickets correctly. With Postfix > > 2.11 you can add: > > > > tls_ssl_options = NO_TICKET > > > > to main.cf to work-around this specific problem, without disabling > > TLSv1, but I would

Re: SSL3_GET_MESSAGE:unexpected message (thanks)

2013-07-11 Thread Stefan Jakobs
Viktor Dukhovni wrote: > On Thu, Jul 11, 2013 at 04:55:00PM +0200, Stefan Jakobs wrote: [...] > So 0.9.8j does not implement session tickets correctly. With Postfix > 2.11 you can add: > > tls_ssl_options = NO_TICKET > > to main.cf to work-around this specific problem, without disabling >

Re: SSL3_GET_MESSAGE:unexpected message

2013-07-11 Thread Viktor Dukhovni
On Thu, Jul 11, 2013 at 04:55:00PM +0200, Stefan Jakobs wrote: > > > SSL_connect:error in SSLv3 read server hello A > > > 13820:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version > > > > > number:s3_pkt.c:281: > > > > Unfortunately, the "reconnect" code in s_client (at least with > > 0.9.8

Re: SSL3_GET_MESSAGE:unexpected message

2013-07-11 Thread Stefan Jakobs
Viktor Dukhovni wrote: > On Thu, Jul 11, 2013 at 01:47:09PM +0200, Stefan Jakobs wrote: > > $ openssl s_client -no_ssl2 -reconnect -starttls smtp -state -cipher \ > > > > "ALL:+RC4:@STRENGTH" -connect server.example.com:25 > > > > 250 DSN > > drop connection and then reconnect > > SSL3 alert w

Re: SSL3_GET_MESSAGE:unexpected message

2013-07-11 Thread Viktor Dukhovni
On Thu, Jul 11, 2013 at 01:48:01PM +, Viktor Dukhovni wrote: > Unfortunately, the "reconnect" code in s_client (at least with > 0.9.8j) forgets to do SMTP "STARTTLS", so this fails because > "220 hostname" is not an SSL server HELO. Fix reported in 2008, not yet applied: https://rt.openssl.o

Re: SSL3_GET_MESSAGE:unexpected message

2013-07-11 Thread Viktor Dukhovni
On Thu, Jul 11, 2013 at 01:47:09PM +0200, Stefan Jakobs wrote: > $ openssl s_client -no_ssl2 -reconnect -starttls smtp -state -cipher \ > "ALL:+RC4:@STRENGTH" -connect server.example.com:25 > 250 DSN > drop connection and then reconnect > SSL3 alert write:warning:close notify > CONNECTED(000

Re: SSL3_GET_MESSAGE:unexpected message

2013-07-11 Thread Stefan Jakobs
Am Mittwoch, 10. Juli 2013, 18:32:32 schrieb Viktor Dukhovni: > On Wed, Jul 10, 2013 at 05:21:38PM +0200, Stefan Jakobs wrote: > > I attached a full trace with a successful TLS session, an unsuccessful TLS > > session and the following fallback to a clear session. > > The trace looks wrong. I'm not

Re: SSL3_GET_MESSAGE:unexpected message

2013-07-10 Thread Viktor Dukhovni
On Wed, Jul 10, 2013 at 05:21:38PM +0200, Stefan Jakobs wrote: > I attached a full trace with a successful TLS session, an unsuccessful TLS > session and the following fallback to a clear session. > The trace looks wrong. I'm not sure I decrypted it proper. The capture file includes only the pac

Re: SSL3_GET_MESSAGE:unexpected message

2013-07-10 Thread Stefan Jakobs
Viktor Dukhovni wrote: > On Tue, Jul 09, 2013 at 04:10:31PM +0200, Stefan Jakobs wrote: > > postfix/smtp[8106]: setting up TLS connection to > > server.example.com[a.b.c.d]:25 > > postfix/smtp[8106]: SSL_connect error to server.example.com[a.b.c.d]:25: > > -1 postfix/smtp[8106]: warning: TLS librar

Re: SSL3_GET_MESSAGE:unexpected message

2013-07-09 Thread Viktor Dukhovni
On Tue, Jul 09, 2013 at 04:10:31PM +0200, Stefan Jakobs wrote: > postfix/smtp[8106]: setting up TLS connection to > server.example.com[a.b.c.d]:25 > postfix/smtp[8106]: SSL_connect error to server.example.com[a.b.c.d]:25: -1 > postfix/smtp[8106]: warning: TLS library problem: 8106:error:1408E0F4:

Re: SSL3_GET_MESSAGE:unexpected message

2013-07-09 Thread DTNX Postmaster
On Jul 9, 2013, at 16:10, Stefan Jakobs wrote: > Postfix logs the following in my logs: > > postfix/smtp[8106]: setting up TLS connection to > server.example.com[a.b.c.d]:25 > postfix/smtp[8106]: SSL_connect error to server.example.com[a.b.c.d]:25: -1 > postfix/smtp[8106]: warning: TLS library