Loading ...
Sorry, an error occurred while loading the content.

Re: TLS Problem

Expand Messages
  • Victor Duchovni
    ... Something is mangling the SSL packets, the received packet version number does not match the protocol version number. The SSL protocol carries a two byte
    Message 1 of 4 , Nov 28, 2005
    • 0 Attachment
      On Mon, Nov 28, 2005 at 05:24:35PM +0100, Ralf Hildebrandt wrote:

      > I'm dumbfounded.
      >
      > Nov 28 17:22:28 postamt postfix/smtpd[6330]: SSL_accept error from mail.charite.de[160.45.207.131]: -1
      > Nov 28 17:22:28 postamt postfix/smtpd[6330]: warning: TLS library problem: 6330:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:288:
      > Nov 28 17:22:28 postamt postfix/smtpd[6330]: lost connection after STARTTLS from mail.charite.de[160.45.207.131]
      >
      > I updated postfix on our postamt.charite.de (mail_version = 2.3-20051126)
      > and now I'm getting these errors. The same update on mail.charite.de
      > causes no grief, one can use TLS to connect to it and it happily uses
      > STARTTLS to send anywhere in the world.
      >

      Something is mangling the SSL packets, the received packet version number
      does not match the protocol version number. The SSL protocol carries a
      two byte version number:

      ssl2.h:#define SSL2_VERSION 0x0002
      ssl3.h:#define SSL3_VERSION 0x0300
      tls1.h:#define TLS1_VERSION 0x0301

      OpenSSL does not expect this to change after the first packet, tty ssldump
      and see what it makes of the traffic.

      s3_pkt.c:
      ... reads the packet header ...
      ... either reads enough bytes or returns <=0 ...
      n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
      if (n <= 0) return(n); /* error or non-blocking */
      s->rstate=SSL_ST_READ_BODY;

      p=s->packet;

      /* Pull apart the header into the SSL3_RECORD */
      rr->type= *(p++);
      ssl_major= *(p++);
      ssl_minor= *(p++);
      version=(ssl_major<<8)|ssl_minor;
      n2s(p,rr->length);

      /* Lets check version */
      if (s->first_packet)
      {
      s->first_packet=0;
      }
      else
      {
      ... packet version != protocol version bail ...
      if (version != s->version)
      {
      SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
      /* Send back error using their
      * version number :-) */
      s->version=version;
      al=SSL_AD_PROTOCOL_VERSION;


      --
      Viktor.

      Disclaimer: off-list followups get on-list replies or get ignored.
      Please do not ignore the "Reply-To" header.

      To unsubscribe from the postfix-users list, visit
      http://www.postfix.org/lists.html or click the link below:
      <mailto:majordomo@...?body=unsubscribe%20postfix-users>

      If my response solves your problem, the best way to thank me is to not
      send an "it worked, thanks" follow-up. If you must respond, please put
      "It worked, thanks" in the "Subject" so I can delete these quickly.
    Your message has been successfully submitted and would be delivered to recipients shortly.