Loading ...
Sorry, an error occurred while loading the content.

Re: ssl errors in log. error on remote or local side?

Expand Messages
  • Viktor Dukhovni
    ... No, unless this happens for a large fraction of TLS connections. Most errors of this form are bugs in the peer SSL stack or problems induced by in-flight
    Message 1 of 12 , May 22, 2013
    • 0 Attachment
      On Wed, May 22, 2013 at 03:57:49PM +0200, Marko Weber | ZBF wrote:

      > I find error entries like these in my logs:
      >
      > postfix/smtp[16790]: warning: TLS library problem:
      > 16790:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:
      >
      > does that mean openssl or something is broken on my machine?

      No, unless this happens for a large fraction of TLS connections.
      Most errors of this form are bugs in the peer SSL stack or problems
      induced by in-flight data corruption (perhaps mangled by a buggy
      firewall).

      Make sure your library is patched to the latest update.

      --
      Viktor.
    • Marko Weber | ZBF
      ... hello viktor, i am on gentoo linux with openssl 1.0.1c. i remerge the openssl and restart postfix. marko
      Message 2 of 12 , May 22, 2013
      • 0 Attachment
        Am 2013-05-22 17:54, schrieb Viktor Dukhovni:
        > On Wed, May 22, 2013 at 03:57:49PM +0200, Marko Weber | ZBF wrote:
        >
        > I find error entries like these in my logs:
        >
        > postfix/smtp[16790]: warning: TLS library problem:
        > 16790:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
        > number:s3_pkt.c:340:
        >
        > does that mean openssl or something is broken on my machine?
        >
        > No, unless this happens for a large fraction of TLS connections.
        > Most errors of this form are bugs in the peer SSL stack or problems
        > induced by in-flight data corruption (perhaps mangled by a buggy
        > firewall).
        >
        > Make sure your library is patched to the latest update.

        hello viktor,

        i am on gentoo linux with openssl 1.0.1c.
        i remerge the openssl and restart postfix.

        marko
      • Charles Marcus
        ... Me too... ... No need - you missed the significance of Viktor s no ... This is nothing to worry about *unless* you are getting a significant number of
        Message 3 of 12 , May 22, 2013
        • 0 Attachment
          On 2013-05-22 12:10 PM, Marko Weber | ZBF <weber@...> wrote:
          > i am on gentoo linux with openssl 1.0.1c.

          Me too...

          > i remerge the openssl and restart postfix.

          No need - you missed the significance of Viktor's 'no'...

          This is nothing to worry about *unless* you are getting a significant
          number of these errors. I see occasional similar errors in my logs all
          the time...

          --

          Best regards,

          Charles Marcus
          I.T. Director
          Media Brokers International, Inc.
          678.514.6224 | 678.514.6299 fax
        • Viktor Dukhovni
          ... 1.0.1c has some known issues, you should use 1.0.1e. -- Viktor.
          Message 4 of 12 , May 22, 2013
          • 0 Attachment
            On Wed, May 22, 2013 at 12:15:24PM -0400, Charles Marcus wrote:

            > On 2013-05-22 12:10 PM, Marko Weber | ZBF <weber@...> wrote:
            > >i am on gentoo linux with openssl 1.0.1c.
            >
            > Me too...
            >
            > >i remerge the openssl and restart postfix.
            >
            > No need - you missed the significance of Viktor's 'no'...
            >
            > This is nothing to worry about *unless* you are getting a
            > significant number of these errors. I see occasional similar errors
            > in my logs all the time...

            1.0.1c has some known issues, you should use 1.0.1e.

            --
            Viktor.
          • Charles Marcus
            ... Hmmm... generally, gentoo is very good at keeping up with security or critical functionality issues. 1.0.1c has been stable for quite some time. Maybe they
            Message 5 of 12 , May 22, 2013
            • 0 Attachment
              On 2013-05-22 12:19 PM, Viktor Dukhovni <postfix-users@...> wrote:
              > 1.0.1c has some known issues, you should use 1.0.1e.

              Hmmm... generally, gentoo is very good at keeping up with security or
              critical functionality issues. 1.0.1c has been stable for quite some
              time. Maybe they have added patches to address whatever concerns you are
              talking about...

              --

              Best regards,

              Charles
            • Quanah Gibson-Mount
              --On Wednesday, May 22, 2013 12:30 PM -0400 Charles Marcus ... Both 1.0.1c and 1.0.1d had *serious* problems. Unless you can absolutely confirm that Gentoo
              Message 6 of 12 , May 22, 2013
              • 0 Attachment
                --On Wednesday, May 22, 2013 12:30 PM -0400 Charles Marcus
                <CMarcus@...> wrote:

                > On 2013-05-22 12:19 PM, Viktor Dukhovni <postfix-users@...>
                > wrote:
                >> 1.0.1c has some known issues, you should use 1.0.1e.
                >
                > Hmmm... generally, gentoo is very good at keeping up with security or
                > critical functionality issues. 1.0.1c has been stable for quite some
                > time. Maybe they have added patches to address whatever concerns you are
                > talking about...

                Both 1.0.1c and 1.0.1d had *serious* problems. Unless you can absolutely
                confirm that Gentoo has applied all of the patches from both of those
                releases to their build, I would strongly advise you to roll your own
                1.0.1e release.

                --Quanah



                --

                Quanah Gibson-Mount
                Sr. Member of Technical Staff
                Zimbra, Inc
                A Division of VMware, Inc.
                --------------------
                Zimbra :: the leader in open source messaging and collaboration
              • Charles Marcus
                ... Ok, but I d prefer to check this out first and get gentoo to update/stabilize 1.0.1e... Any pointers/links to anything outlining said serious problems?
                Message 7 of 12 , May 22, 2013
                • 0 Attachment
                  On 2013-05-22 12:38 PM, Quanah Gibson-Mount <quanah@...> wrote:
                  > --On Wednesday, May 22, 2013 12:30 PM -0400 Charles Marcus
                  > <CMarcus@...> wrote:
                  >
                  >> On 2013-05-22 12:19 PM, Viktor Dukhovni <postfix-users@...>
                  >> wrote:
                  >>> 1.0.1c has some known issues, you should use 1.0.1e.
                  >>
                  >> Hmmm... generally, gentoo is very good at keeping up with security or
                  >> critical functionality issues. 1.0.1c has been stable for quite some
                  >> time. Maybe they have added patches to address whatever concerns you are
                  >> talking about...
                  >
                  > Both 1.0.1c and 1.0.1d had *serious* problems. Unless you can
                  > absolutely confirm that Gentoo has applied all of the patches from
                  > both of those releases to their build, I would strongly advise you to
                  > roll your own 1.0.1e release.
                  >
                  > --Quanah

                  Ok, but I'd prefer to check this out first and get gentoo to
                  update/stabilize 1.0.1e...

                  Any pointers/links to anything outlining said serious problems?

                  Thanks for the heads up...

                  --

                  Best regards,

                  Charles
                • Quanah Gibson-Mount
                  --On Wednesday, May 22, 2013 1:17 PM -0400 Charles Marcus ... I would read the CHANGES file shipped with OpenSSL. They didn t document the changes between
                  Message 8 of 12 , May 22, 2013
                  • 0 Attachment
                    --On Wednesday, May 22, 2013 1:17 PM -0400 Charles Marcus
                    <CMarcus@...> wrote:

                    > On 2013-05-22 12:38 PM, Quanah Gibson-Mount <quanah@...> wrote:
                    >> --On Wednesday, May 22, 2013 12:30 PM -0400 Charles Marcus
                    >> <CMarcus@...> wrote:
                    >>
                    >>> On 2013-05-22 12:19 PM, Viktor Dukhovni <postfix-users@...>
                    >>> wrote:
                    >>>> 1.0.1c has some known issues, you should use 1.0.1e.
                    >>>
                    >>> Hmmm... generally, gentoo is very good at keeping up with security or
                    >>> critical functionality issues. 1.0.1c has been stable for quite some
                    >>> time. Maybe they have added patches to address whatever concerns you are
                    >>> talking about...
                    >>
                    >> Both 1.0.1c and 1.0.1d had *serious* problems. Unless you can
                    >> absolutely confirm that Gentoo has applied all of the patches from
                    >> both of those releases to their build, I would strongly advise you to
                    >> roll your own 1.0.1e release.
                    >>
                    >> --Quanah
                    >
                    > Ok, but I'd prefer to check this out first and get gentoo to
                    > update/stabilize 1.0.1e...
                    >
                    > Any pointers/links to anything outlining said serious problems?
                    >
                    > Thanks for the heads up...

                    I would read the CHANGES file shipped with OpenSSL. They didn't document
                    the changes between 1.0.1d and 1.0.1e, but you can see the changes between
                    1.0.1c and 1.0.1d.

                    --Quanah

                    --

                    Quanah Gibson-Mount
                    Sr. Member of Technical Staff
                    Zimbra, Inc
                    A Division of VMware, Inc.
                    --------------------
                    Zimbra :: the leader in open source messaging and collaboration
                  • Charles Marcus
                    ... I did, and nothing jumps out at me (but I m not a programmer, so that isn t worth much). Also, the gentoo devs don t know of any issues, and asked for
                    Message 9 of 12 , May 30, 2013
                    • 0 Attachment
                      On 2013-05-22 1:45 PM, Quanah Gibson-Mount <quanah@...> wrote:
                      > --On Wednesday, May 22, 2013 1:17 PM -0400 Charles Marcus
                      > <CMarcus@...> wrote:
                      >
                      >> On 2013-05-22 12:38 PM, Quanah Gibson-Mount <quanah@...> wrote:
                      >>> Both 1.0.1c and 1.0.1d had *serious* problems. Unless you can
                      >>> absolutely confirm that Gentoo has applied all of the patches from
                      >>> both of those releases to their build, I would strongly advise you to
                      >>> roll your own 1.0.1e release.
                      >>
                      >> Ok, but I'd prefer to check this out first and get gentoo to
                      >> update/stabilize 1.0.1e...
                      >>
                      >> Any pointers/links to anything outlining said serious problems?
                      >>
                      >> Thanks for the heads up...
                      >
                      > I would read the CHANGES file shipped with OpenSSL. They didn't
                      > document the changes between 1.0.1d and 1.0.1e, but you can see the
                      > changes between 1.0.1c and 1.0.1d.

                      I did, and nothing jumps out at me (but I'm not a programmer, so that
                      isn't worth much).

                      Also, the gentoo devs don't know of any issues, and asked for pointers
                      to details.

                      The patches currently applied to the 1.0.1c ebuild are:

                      epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
                      epatch "${FILESDIR}"/${PN}-1.0.0d-fbsd-amd64.patch #363089
                      epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
                      epatch "${FILESDIR}"/${PN}-1.0.0h-pkg-config.patch
                      epatch "${FILESDIR}"/${PN}-1.0.1-parallel-build.patch
                      epatch "${FILESDIR}"/${PN}-1.0.1-x32.patch
                      epatch "${FILESDIR}"/${PN}-1.0.1-ipv6.patch

                      If no pointers can be provided explaining these 'serious issues', then I
                      don't see how they could be all that serious.

                      --

                      Best regards,

                      Charles
                    • Charles Marcus
                      ... I read them, but nothing jumped out at me (didn t see anything significant warranting a charge of serious problems )... The gentoo version of 1.0.1c
                      Message 10 of 12 , May 31, 2013
                      • 0 Attachment
                        On 2013-05-22 1:45 PM, Quanah Gibson-Mount <quanah@...> wrote:
                        > I would read the CHANGES file shipped with OpenSSL. They didn't
                        > document the changes between 1.0.1d and 1.0.1e, but you can see the
                        > changes between 1.0.1c and 1.0.1d.

                        I read them, but nothing jumped out at me (didn't see anything
                        significant warranting a charge of 'serious problems')...

                        The gentoo version of 1.0.1c currently applies the following patches
                        (not sure if these names will mean anything to anyone here or not):

                        1.0.0a-ldflags.patch #327421
                        1.0.0d-fbsd-amd64.patch #363089
                        1.0.0d-windres.patch #373743
                        1.0.0h-pkg-config.patch
                        1.0.1-parallel-build.patch
                        1.0.1-x32.patch
                        1.0.1-ipv6.patch


                        --

                        Best regards,

                        Charles
                      • Charles Marcus
                        ... So... any specific pointers to links describing these supposed *serious* problems inherent to openssl 1.0.1c? If this is true, it shouldn t be all that
                        Message 11 of 12 , Jun 2, 2013
                        • 0 Attachment
                          On 2013-05-31 7:46 AM, Charles Marcus <CMarcus@...> wrote:
                          > On 2013-05-22 1:45 PM, Quanah Gibson-Mount <quanah@...> wrote:
                          >> I would read the CHANGES file shipped with OpenSSL. They didn't
                          >> document the changes between 1.0.1d and 1.0.1e, but you can see the
                          >> changes between 1.0.1c and 1.0.1d.
                          >
                          > I read them, but nothing jumped out at me (didn't see anything
                          > significant warranting a charge of 'serious problems')...
                          >
                          > The gentoo version of 1.0.1c currently applies the following patches
                          > (not sure if these names will mean anything to anyone here or not):
                          >
                          > 1.0.0a-ldflags.patch #327421
                          > 1.0.0d-fbsd-amd64.patch #363089
                          > 1.0.0d-windres.patch #373743
                          > 1.0.0h-pkg-config.patch
                          > 1.0.1-parallel-build.patch
                          > 1.0.1-x32.patch
                          > 1.0.1-ipv6.patch

                          So... any specific pointers to links describing these supposed
                          '*serious* problems' inherent to openssl 1.0.1c?

                          If this is true, it shouldn't be all that difficult to provide such (and
                          the burden of proof is on the claimant, no?)...

                          --

                          Best regards,

                          Charles
                        Your message has been successfully submitted and would be delivered to recipients shortly.