Loading ...
Sorry, an error occurred while loading the content.

ssl errors in log. error on remote or local side?

Expand Messages
  • Marko Weber | ZBF
    hello list, i find error entries like these in my logs: postfix/smtp[16790]: warning: TLS library problem: 16790:error:1408F10B:SSL
    Message 1 of 12 , May 22 6:57 AM
    • 0 Attachment
      hello list,
      i find error entries like these in my logs:

      postfix/smtp[16790]: warning: TLS library problem:
      16790:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
      number:s3_pkt.c:340:

      does that mean openssl or something is broken on my machine?

      thanks

      marko
    • Viktor Dukhovni
      ... No, unless this happens for a large fraction of TLS connections. Most errors of this form are bugs in the peer SSL stack or problems induced by in-flight
      Message 2 of 12 , May 22 8:54 AM
      • 0 Attachment
        On Wed, May 22, 2013 at 03:57:49PM +0200, Marko Weber | ZBF wrote:

        > I find error entries like these in my logs:
        >
        > postfix/smtp[16790]: warning: TLS library problem:
        > 16790:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:
        >
        > does that mean openssl or something is broken on my machine?

        No, unless this happens for a large fraction of TLS connections.
        Most errors of this form are bugs in the peer SSL stack or problems
        induced by in-flight data corruption (perhaps mangled by a buggy
        firewall).

        Make sure your library is patched to the latest update.

        --
        Viktor.
      • Marko Weber | ZBF
        ... hello viktor, i am on gentoo linux with openssl 1.0.1c. i remerge the openssl and restart postfix. marko
        Message 3 of 12 , May 22 9:10 AM
        • 0 Attachment
          Am 2013-05-22 17:54, schrieb Viktor Dukhovni:
          > On Wed, May 22, 2013 at 03:57:49PM +0200, Marko Weber | ZBF wrote:
          >
          > I find error entries like these in my logs:
          >
          > postfix/smtp[16790]: warning: TLS library problem:
          > 16790:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
          > number:s3_pkt.c:340:
          >
          > does that mean openssl or something is broken on my machine?
          >
          > No, unless this happens for a large fraction of TLS connections.
          > Most errors of this form are bugs in the peer SSL stack or problems
          > induced by in-flight data corruption (perhaps mangled by a buggy
          > firewall).
          >
          > Make sure your library is patched to the latest update.

          hello viktor,

          i am on gentoo linux with openssl 1.0.1c.
          i remerge the openssl and restart postfix.

          marko
        • Charles Marcus
          ... Me too... ... No need - you missed the significance of Viktor s no ... This is nothing to worry about *unless* you are getting a significant number of
          Message 4 of 12 , May 22 9:15 AM
          • 0 Attachment
            On 2013-05-22 12:10 PM, Marko Weber | ZBF <weber@...> wrote:
            > i am on gentoo linux with openssl 1.0.1c.

            Me too...

            > i remerge the openssl and restart postfix.

            No need - you missed the significance of Viktor's 'no'...

            This is nothing to worry about *unless* you are getting a significant
            number of these errors. I see occasional similar errors in my logs all
            the time...

            --

            Best regards,

            Charles Marcus
            I.T. Director
            Media Brokers International, Inc.
            678.514.6224 | 678.514.6299 fax
          • Viktor Dukhovni
            ... 1.0.1c has some known issues, you should use 1.0.1e. -- Viktor.
            Message 5 of 12 , May 22 9:19 AM
            • 0 Attachment
              On Wed, May 22, 2013 at 12:15:24PM -0400, Charles Marcus wrote:

              > On 2013-05-22 12:10 PM, Marko Weber | ZBF <weber@...> wrote:
              > >i am on gentoo linux with openssl 1.0.1c.
              >
              > Me too...
              >
              > >i remerge the openssl and restart postfix.
              >
              > No need - you missed the significance of Viktor's 'no'...
              >
              > This is nothing to worry about *unless* you are getting a
              > significant number of these errors. I see occasional similar errors
              > in my logs all the time...

              1.0.1c has some known issues, you should use 1.0.1e.

              --
              Viktor.
            • Charles Marcus
              ... Hmmm... generally, gentoo is very good at keeping up with security or critical functionality issues. 1.0.1c has been stable for quite some time. Maybe they
              Message 6 of 12 , May 22 9:30 AM
              • 0 Attachment
                On 2013-05-22 12:19 PM, Viktor Dukhovni <postfix-users@...> wrote:
                > 1.0.1c has some known issues, you should use 1.0.1e.

                Hmmm... generally, gentoo is very good at keeping up with security or
                critical functionality issues. 1.0.1c has been stable for quite some
                time. Maybe they have added patches to address whatever concerns you are
                talking about...

                --

                Best regards,

                Charles
              • Quanah Gibson-Mount
                --On Wednesday, May 22, 2013 12:30 PM -0400 Charles Marcus ... Both 1.0.1c and 1.0.1d had *serious* problems. Unless you can absolutely confirm that Gentoo
                Message 7 of 12 , May 22 9:38 AM
                • 0 Attachment
                  --On Wednesday, May 22, 2013 12:30 PM -0400 Charles Marcus
                  <CMarcus@...> wrote:

                  > On 2013-05-22 12:19 PM, Viktor Dukhovni <postfix-users@...>
                  > wrote:
                  >> 1.0.1c has some known issues, you should use 1.0.1e.
                  >
                  > Hmmm... generally, gentoo is very good at keeping up with security or
                  > critical functionality issues. 1.0.1c has been stable for quite some
                  > time. Maybe they have added patches to address whatever concerns you are
                  > talking about...

                  Both 1.0.1c and 1.0.1d had *serious* problems. Unless you can absolutely
                  confirm that Gentoo has applied all of the patches from both of those
                  releases to their build, I would strongly advise you to roll your own
                  1.0.1e release.

                  --Quanah



                  --

                  Quanah Gibson-Mount
                  Sr. Member of Technical Staff
                  Zimbra, Inc
                  A Division of VMware, Inc.
                  --------------------
                  Zimbra :: the leader in open source messaging and collaboration
                • Charles Marcus
                  ... Ok, but I d prefer to check this out first and get gentoo to update/stabilize 1.0.1e... Any pointers/links to anything outlining said serious problems?
                  Message 8 of 12 , May 22 10:17 AM
                  • 0 Attachment
                    On 2013-05-22 12:38 PM, Quanah Gibson-Mount <quanah@...> wrote:
                    > --On Wednesday, May 22, 2013 12:30 PM -0400 Charles Marcus
                    > <CMarcus@...> wrote:
                    >
                    >> On 2013-05-22 12:19 PM, Viktor Dukhovni <postfix-users@...>
                    >> wrote:
                    >>> 1.0.1c has some known issues, you should use 1.0.1e.
                    >>
                    >> Hmmm... generally, gentoo is very good at keeping up with security or
                    >> critical functionality issues. 1.0.1c has been stable for quite some
                    >> time. Maybe they have added patches to address whatever concerns you are
                    >> talking about...
                    >
                    > Both 1.0.1c and 1.0.1d had *serious* problems. Unless you can
                    > absolutely confirm that Gentoo has applied all of the patches from
                    > both of those releases to their build, I would strongly advise you to
                    > roll your own 1.0.1e release.
                    >
                    > --Quanah

                    Ok, but I'd prefer to check this out first and get gentoo to
                    update/stabilize 1.0.1e...

                    Any pointers/links to anything outlining said serious problems?

                    Thanks for the heads up...

                    --

                    Best regards,

                    Charles
                  • Quanah Gibson-Mount
                    --On Wednesday, May 22, 2013 1:17 PM -0400 Charles Marcus ... I would read the CHANGES file shipped with OpenSSL. They didn t document the changes between
                    Message 9 of 12 , May 22 10:45 AM
                    • 0 Attachment
                      --On Wednesday, May 22, 2013 1:17 PM -0400 Charles Marcus
                      <CMarcus@...> wrote:

                      > On 2013-05-22 12:38 PM, Quanah Gibson-Mount <quanah@...> wrote:
                      >> --On Wednesday, May 22, 2013 12:30 PM -0400 Charles Marcus
                      >> <CMarcus@...> wrote:
                      >>
                      >>> On 2013-05-22 12:19 PM, Viktor Dukhovni <postfix-users@...>
                      >>> wrote:
                      >>>> 1.0.1c has some known issues, you should use 1.0.1e.
                      >>>
                      >>> Hmmm... generally, gentoo is very good at keeping up with security or
                      >>> critical functionality issues. 1.0.1c has been stable for quite some
                      >>> time. Maybe they have added patches to address whatever concerns you are
                      >>> talking about...
                      >>
                      >> Both 1.0.1c and 1.0.1d had *serious* problems. Unless you can
                      >> absolutely confirm that Gentoo has applied all of the patches from
                      >> both of those releases to their build, I would strongly advise you to
                      >> roll your own 1.0.1e release.
                      >>
                      >> --Quanah
                      >
                      > Ok, but I'd prefer to check this out first and get gentoo to
                      > update/stabilize 1.0.1e...
                      >
                      > Any pointers/links to anything outlining said serious problems?
                      >
                      > Thanks for the heads up...

                      I would read the CHANGES file shipped with OpenSSL. They didn't document
                      the changes between 1.0.1d and 1.0.1e, but you can see the changes between
                      1.0.1c and 1.0.1d.

                      --Quanah

                      --

                      Quanah Gibson-Mount
                      Sr. Member of Technical Staff
                      Zimbra, Inc
                      A Division of VMware, Inc.
                      --------------------
                      Zimbra :: the leader in open source messaging and collaboration
                    • Charles Marcus
                      ... I did, and nothing jumps out at me (but I m not a programmer, so that isn t worth much). Also, the gentoo devs don t know of any issues, and asked for
                      Message 10 of 12 , May 30 6:22 AM
                      • 0 Attachment
                        On 2013-05-22 1:45 PM, Quanah Gibson-Mount <quanah@...> wrote:
                        > --On Wednesday, May 22, 2013 1:17 PM -0400 Charles Marcus
                        > <CMarcus@...> wrote:
                        >
                        >> On 2013-05-22 12:38 PM, Quanah Gibson-Mount <quanah@...> wrote:
                        >>> Both 1.0.1c and 1.0.1d had *serious* problems. Unless you can
                        >>> absolutely confirm that Gentoo has applied all of the patches from
                        >>> both of those releases to their build, I would strongly advise you to
                        >>> roll your own 1.0.1e release.
                        >>
                        >> Ok, but I'd prefer to check this out first and get gentoo to
                        >> update/stabilize 1.0.1e...
                        >>
                        >> Any pointers/links to anything outlining said serious problems?
                        >>
                        >> Thanks for the heads up...
                        >
                        > I would read the CHANGES file shipped with OpenSSL. They didn't
                        > document the changes between 1.0.1d and 1.0.1e, but you can see the
                        > changes between 1.0.1c and 1.0.1d.

                        I did, and nothing jumps out at me (but I'm not a programmer, so that
                        isn't worth much).

                        Also, the gentoo devs don't know of any issues, and asked for pointers
                        to details.

                        The patches currently applied to the 1.0.1c ebuild are:

                        epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
                        epatch "${FILESDIR}"/${PN}-1.0.0d-fbsd-amd64.patch #363089
                        epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
                        epatch "${FILESDIR}"/${PN}-1.0.0h-pkg-config.patch
                        epatch "${FILESDIR}"/${PN}-1.0.1-parallel-build.patch
                        epatch "${FILESDIR}"/${PN}-1.0.1-x32.patch
                        epatch "${FILESDIR}"/${PN}-1.0.1-ipv6.patch

                        If no pointers can be provided explaining these 'serious issues', then I
                        don't see how they could be all that serious.

                        --

                        Best regards,

                        Charles
                      • Charles Marcus
                        ... I read them, but nothing jumped out at me (didn t see anything significant warranting a charge of serious problems )... The gentoo version of 1.0.1c
                        Message 11 of 12 , May 31 4:46 AM
                        • 0 Attachment
                          On 2013-05-22 1:45 PM, Quanah Gibson-Mount <quanah@...> wrote:
                          > I would read the CHANGES file shipped with OpenSSL. They didn't
                          > document the changes between 1.0.1d and 1.0.1e, but you can see the
                          > changes between 1.0.1c and 1.0.1d.

                          I read them, but nothing jumped out at me (didn't see anything
                          significant warranting a charge of 'serious problems')...

                          The gentoo version of 1.0.1c currently applies the following patches
                          (not sure if these names will mean anything to anyone here or not):

                          1.0.0a-ldflags.patch #327421
                          1.0.0d-fbsd-amd64.patch #363089
                          1.0.0d-windres.patch #373743
                          1.0.0h-pkg-config.patch
                          1.0.1-parallel-build.patch
                          1.0.1-x32.patch
                          1.0.1-ipv6.patch


                          --

                          Best regards,

                          Charles
                        • Charles Marcus
                          ... So... any specific pointers to links describing these supposed *serious* problems inherent to openssl 1.0.1c? If this is true, it shouldn t be all that
                          Message 12 of 12 , Jun 2, 2013
                          • 0 Attachment
                            On 2013-05-31 7:46 AM, Charles Marcus <CMarcus@...> wrote:
                            > On 2013-05-22 1:45 PM, Quanah Gibson-Mount <quanah@...> wrote:
                            >> I would read the CHANGES file shipped with OpenSSL. They didn't
                            >> document the changes between 1.0.1d and 1.0.1e, but you can see the
                            >> changes between 1.0.1c and 1.0.1d.
                            >
                            > I read them, but nothing jumped out at me (didn't see anything
                            > significant warranting a charge of 'serious problems')...
                            >
                            > The gentoo version of 1.0.1c currently applies the following patches
                            > (not sure if these names will mean anything to anyone here or not):
                            >
                            > 1.0.0a-ldflags.patch #327421
                            > 1.0.0d-fbsd-amd64.patch #363089
                            > 1.0.0d-windres.patch #373743
                            > 1.0.0h-pkg-config.patch
                            > 1.0.1-parallel-build.patch
                            > 1.0.1-x32.patch
                            > 1.0.1-ipv6.patch

                            So... any specific pointers to links describing these supposed
                            '*serious* problems' inherent to openssl 1.0.1c?

                            If this is true, it shouldn't be all that difficult to provide such (and
                            the burden of proof is on the claimant, no?)...

                            --

                            Best regards,

                            Charles
                          Your message has been successfully submitted and would be delivered to recipients shortly.