Loading ...
Sorry, an error occurred while loading the content.

Re: SSL3_GET_MESSAGE:unexpected message

Expand Messages
  • DTNX Postmaster
    ... As far as I understand it it means that the negotiation of the SSL cipher did not succeed, because the answer that came back from the remote server was not
    Message 1 of 10 , Jul 9, 2013
    • 0 Attachment
      On Jul 9, 2013, at 16:10, Stefan Jakobs <stefan@...> wrote:

      > Postfix logs the following in my logs:
      >
      > postfix/smtp[8106]: setting up TLS connection to
      > server.example.com[a.b.c.d]:25
      > postfix/smtp[8106]: SSL_connect error to server.example.com[a.b.c.d]:25: -1
      > postfix/smtp[8106]: warning: TLS library problem: 8106:error:1408E0F4:SSL
      > routines:SSL3_GET_MESSAGE:unexpected message:s3_both.c:463:
      >
      > But there are also logs which say that it works:
      >
      > postfix/smtp[4527]: setting up TLS connection to
      > server.example.com[a.b.c.d]:25
      > postfix/smtp[4527]: Untrusted TLS connection established to
      > server.example.com[a.b.c.d]:25: TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256
      > bits)
      > postfix/smtp[4527]: 874F037EA0: to=<user@...>,
      > relay=server.example.com[a.b.c.d]:25, delay=0.17, delays=0.04/0/0.08/0.06,
      > dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as A56C5A458F)
      > postfix/qmgr[31620]: 874F037EA0: removed
      >
      > I'm wondering what's wrong. And what does this error mean:
      > SSL3_GET_MESSAGE:unexpected message?

      As far as I understand it it means that the negotiation of the SSL
      cipher did not succeed, because the answer that came back from the
      remote server was not understood by yours. We had a similar problem
      earlier this week, which seemed to be caused by the lack of support for
      modern ciphers in Windows 2003.

      I'd suggest you have a good look at your configuration; Postfix 2.5.13
      is no longer supported, for example. Perhaps Postfix (and your OpenSSL
      library) are in need of an update?

      Mvg,
      Jona
    • Viktor Dukhovni
      ... If this server is on the public Internet and if at all possible, please post its IP address. Otherwise you ll have to do most of the sleuthing on your
      Message 2 of 10 , Jul 9, 2013
      • 0 Attachment
        On Tue, Jul 09, 2013 at 04:10:31PM +0200, Stefan Jakobs wrote:

        > postfix/smtp[8106]: setting up TLS connection to
        > server.example.com[a.b.c.d]:25
        > postfix/smtp[8106]: SSL_connect error to server.example.com[a.b.c.d]:25: -1
        > postfix/smtp[8106]: warning: TLS library problem: 8106:error:1408E0F4:SSL
        > routines:SSL3_GET_MESSAGE:unexpected message:s3_both.c:463:

        If this server is on the public Internet and if at all possible,
        please post its IP address. Otherwise you'll have to do most of
        the sleuthing on your own.

        The client received an unexpected handshake message. You need to
        obtain a full packet PCAP capture of the session, and decode it
        as SSL via wireshark or similar. That may tell you what's unusual
        about the server's response.

        OpenSSL on your client seems to be 0.9.8, can you report which
        version?


        > But there are also logs which say that it works:
        >
        > postfix/smtp[4527]: setting up TLS connection to
        > server.example.com[a.b.c.d]:25
        > postfix/smtp[4527]: Untrusted TLS connection established to
        > server.example.com[a.b.c.d]:25: TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256
        > bits)

        Rather odd that CAMELLIA got chosen over AES.

        > Connecting with s_client results in the following:
        > # openssl s_client -starttls smtp -verify 10 -connect server.example.com:25
        > SSL-Session:
        > Protocol : TLSv1
        > Cipher : DHE-RSA-AES256-SHA
        > Session-ID: ...
        > Session-ID-ctx:
        > Master-Key: ...
        > Key-Arg : None
        > Start Time: 1373378631
        > Timeout : 300 (sec)
        > Verify return code: 18 (self signed certificate)

        What happens when you use the Postfix client cipherlist?

        ALL:+RC4:@STRENGTH

        # openssl s_client -state -cipher "ALL:+RC4:@STRENGTH" \
        -starttls smtp -connect server.example.com:25

        Try it a few times, ... add "-msg" if the failure is observed, but the
        reason is not more apparent.

        --
        Viktor.
      • Stefan Jakobs
        ... Unfortunately this server is not on public internet. ... I attached a full trace with a successful TLS session, an unsuccessful TLS session and the
        Message 3 of 10 , Jul 10, 2013
        • 0 Attachment
          Viktor Dukhovni wrote:
          > On Tue, Jul 09, 2013 at 04:10:31PM +0200, Stefan Jakobs wrote:
          > > postfix/smtp[8106]: setting up TLS connection to
          > > server.example.com[a.b.c.d]:25
          > > postfix/smtp[8106]: SSL_connect error to server.example.com[a.b.c.d]:25:
          > > -1 postfix/smtp[8106]: warning: TLS library problem:
          > > 8106:error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected
          > > message:s3_both.c:463:
          > If this server is on the public Internet and if at all possible,
          > please post its IP address. Otherwise you'll have to do most of
          > the sleuthing on your own.

          Unfortunately this server is not on public internet.

          > The client received an unexpected handshake message. You need to
          > obtain a full packet PCAP capture of the session, and decode it
          > as SSL via wireshark or similar. That may tell you what's unusual
          > about the server's response.

          I attached a full trace with a successful TLS session, an unsuccessful TLS
          session and the following fallback to a clear session.
          The trace looks wrong. I'm not sure I decrypted it proper.

          > OpenSSL on your client seems to be 0.9.8, can you report which
          > version?

          Yes, you're right. It is: openssl-0.9.8j

          > > But there are also logs which say that it works:
          > >
          > > postfix/smtp[4527]: setting up TLS connection to
          > > server.example.com[a.b.c.d]:25
          > > postfix/smtp[4527]: Untrusted TLS connection established to
          > > server.example.com[a.b.c.d]:25: TLSv1 with cipher ADH-CAMELLIA256-SHA
          > > (256/256 bits)
          >
          > Rather odd that CAMELLIA got chosen over AES.
          >
          > > Connecting with s_client results in the following:
          > > # openssl s_client -starttls smtp -verify 10 -connect
          > > server.example.com:25
          > >
          > > SSL-Session:
          > > Protocol : TLSv1
          > > Cipher : DHE-RSA-AES256-SHA
          > > Session-ID: ...
          > > Session-ID-ctx:
          > > Master-Key: ...
          > > Key-Arg : None
          > > Start Time: 1373378631
          > > Timeout : 300 (sec)
          > > Verify return code: 18 (self signed certificate)
          >
          > What happens when you use the Postfix client cipherlist?
          >
          > ALL:+RC4:@STRENGTH
          >
          > # openssl s_client -state -cipher "ALL:+RC4:@STRENGTH" \
          > -starttls smtp -connect server.example.com:25
          >
          > Try it a few times, ... add "-msg" if the failure is observed, but the
          > reason is not more apparent.

          I tried it many times, but I can't produce that SSL error. I always get the
          following:

          # openssl s_client -starttls smtp -state -cipher "ALL:+RC4:@STRENGTH" -connect
          server.example.com:25
          CONNECTED(00000003)
          SSL_connect:before/connect initialization
          SSL_connect:SSLv2/v3 write client hello A
          SSL_connect:SSLv3 read server hello A
          SSL_connect:SSLv3 read server key exchange A
          SSL_connect:SSLv3 read server done A
          SSL_connect:SSLv3 write client key exchange A
          SSL_connect:SSLv3 write change cipher spec A
          SSL_connect:SSLv3 write finished A
          SSL_connect:SSLv3 flush data
          SSL_connect:SSLv3 read finished A
          ---
          no peer certificate available
          ---
          No client certificate CA names sent
          ---
          SSL handshake has read 662 bytes and written 399 bytes
          ---
          New, TLSv1/SSLv3, Cipher is ADH-CAMELLIA256-SHA
          Secure Renegotiation IS supported
          Compression: NONE
          Expansion: NONE
          SSL-Session:
          Protocol : TLSv1
          Cipher : ADH-CAMELLIA256-SHA
          Session-ID:
          A69CEAAEC18CB1D2BBCDB0AA464A4A9B850A706F84FC1DCFF6C9073833F2E24D
          Session-ID-ctx:
          Master-Key:
          53109E2701F7A9BF21D95747ECD17EFFAFFC7D9E8ADFA5A63DED08293C0320897C15A35E6566FB9B776D29F78ADDCF4F
          Key-Arg : None
          Start Time: 1373469498
          Timeout : 300 (sec)
          Verify return code: 0 (ok)
          ---
          250 DSN

          BTW: server.example.com uses a self-signed snake-oil certificate.

          Thanks for your help.
          Best regards
          Stefan
        • Viktor Dukhovni
          ... The capture file includes only the packets to the SMTP server, none of the replies. So this is not usable. Please capture both sides of the traffic. If
          Message 4 of 10 , Jul 10, 2013
          • 0 Attachment
            On Wed, Jul 10, 2013 at 05:21:38PM +0200, Stefan Jakobs wrote:

            > I attached a full trace with a successful TLS session, an unsuccessful TLS
            > session and the following fallback to a clear session.
            > The trace looks wrong. I'm not sure I decrypted it proper.

            The capture file includes only the packets to the SMTP server, none
            of the replies. So this is not usable. Please capture both sides
            of the traffic. If on a multi-homed host, set smtp_bind_address
            to the IP address of the interface on which the reply packets will
            return.

            > > OpenSSL on your client seems to be 0.9.8, can you report which
            > > version?
            >
            > Yes, you're right. It is: openssl-0.9.8j

            This has additional patches from your distribution. What O/S are you
            running?

            > > > postfix/smtp[4527]: Untrusted TLS connection established to
            > > > server.example.com[a.b.c.d]:25: TLSv1 with cipher ADH-CAMELLIA256-SHA
            > > > (256/256 bits)
            > >
            > > Rather odd that CAMELLIA got chosen over AES.
            > >
            > > What happens when you use the Postfix client cipherlist?
            > >
            > > ALL:+RC4:@STRENGTH
            > >
            > > # openssl s_client -state -cipher "ALL:+RC4:@STRENGTH" \
            > > -starttls smtp -connect server.example.com:25
            > >
            > > Try it a few times, ... add "-msg" if the failure is observed, but the
            > > reason is not more apparent.
            >
            > I tried it many times, but I can't produce that SSL error. I always get the
            > following:
            >
            > # openssl s_client -starttls smtp -state -cipher "ALL:+RC4:@STRENGTH" -connect server.example.com:25
            > CONNECTED(00000003)
            > SSL_connect:before/connect initialization
            > SSL_connect:SSLv2/v3 write client hello A
            > SSL_connect:SSLv3 read server hello A
            > SSL_connect:SSLv3 read server key exchange A
            > SSL_connect:SSLv3 read server done A
            > SSL_connect:SSLv3 write client key exchange A
            > SSL_connect:SSLv3 write change cipher spec A
            > SSL_connect:SSLv3 write finished A
            > SSL_connect:SSLv3 flush data
            > SSL_connect:SSLv3 read finished A
            > ---
            > New, TLSv1/SSLv3, Cipher is ADH-CAMELLIA256-SHA

            Good, now we're getting the same ciphersuite as with Postfix. Try
            again with SSLv2 disabled, which will enable TLS extensions.

            # openssl s_client -no_ssl2 -starttls smtp -state \
            -cipher "ALL:+RC4:@STRENGTH" -connect server.example.com:25

            Try a few times and report the results. Session re-use may be a factor
            in this so you may need to enable session caching in s_client, so if the
            above does not trigger any problems, try with:

            # openssl s_client -reconnect -no_ssl2 -starttls smtp \
            -state -cipher "ALL:+RC4:@STRENGTH" -connect server.example.com:25

            This may explain why Postfix connections sometimes succeed and fail
            at other times (perhaps even alternate between success and failure),
            when handshakes fail, the associated session is flushed from the cache.

            What O/S is the server running? Does it have OpenSSL-0.9.9-dev?

            --
            Viktor.
          • Stefan Jakobs
            ... OK, next try. See attachment. ... SUSE Enterprise Linux 11 SP2 [...] ... $ openssl s_client -no_ssl2 -starttls smtp -state -cipher ALL:+RC4:@STRENGTH
            Message 5 of 10 , Jul 11, 2013
            • 0 Attachment
              Am Mittwoch, 10. Juli 2013, 18:32:32 schrieb Viktor Dukhovni:
              > On Wed, Jul 10, 2013 at 05:21:38PM +0200, Stefan Jakobs wrote:
              > > I attached a full trace with a successful TLS session, an unsuccessful TLS
              > > session and the following fallback to a clear session.
              > > The trace looks wrong. I'm not sure I decrypted it proper.
              >
              > The capture file includes only the packets to the SMTP server, none
              > of the replies. So this is not usable. Please capture both sides
              > of the traffic. If on a multi-homed host, set smtp_bind_address
              > to the IP address of the interface on which the reply packets will
              > return.

              OK, next try. See attachment.

              > > > OpenSSL on your client seems to be 0.9.8, can you report which
              > > > version?
              > >
              > > Yes, you're right. It is: openssl-0.9.8j
              >
              > This has additional patches from your distribution. What O/S are you
              > running?

              SUSE Enterprise Linux 11 SP2

              [...]
              >
              > Good, now we're getting the same ciphersuite as with Postfix. Try
              > again with SSLv2 disabled, which will enable TLS extensions.
              >
              > # openssl s_client -no_ssl2 -starttls smtp -state \
              > -cipher "ALL:+RC4:@STRENGTH" -connect server.example.com:25
              >
              > Try a few times and report the results. Session re-use may be a factor
              > in this so you may need to enable session caching in s_client, so if the
              > above does not trigger any problems, try with:
              >
              > # openssl s_client -reconnect -no_ssl2 -starttls smtp \
              > -state -cipher "ALL:+RC4:@STRENGTH" -connect server.example.com:25
              >
              > This may explain why Postfix connections sometimes succeed and fail
              > at other times (perhaps even alternate between success and failure),
              > when handshakes fail, the associated session is flushed from the cache.

              $ openssl s_client -no_ssl2 -starttls smtp -state -cipher \
              "ALL:+RC4:@STRENGTH" -connect server.example.com:25
              CONNECTED(00000003)
              SSL_connect:before/connect initialization
              SSL_connect:SSLv2/v3 write client hello A
              SSL_connect:SSLv3 read server hello A
              SSL_connect:SSLv3 read server key exchange A
              SSL_connect:SSLv3 read server done A
              SSL_connect:SSLv3 write client key exchange A
              SSL_connect:SSLv3 write change cipher spec A
              SSL_connect:SSLv3 write finished A
              SSL_connect:SSLv3 flush data
              SSL_connect:SSLv3 read server session ticket A
              SSL_connect:SSLv3 read finished A
              ---
              no peer certificate available
              ---
              No client certificate CA names sent
              ---
              SSL handshake has read 809 bytes and written 357 bytes
              ---
              New, TLSv1/SSLv3, Cipher is ADH-CAMELLIA256-SHA
              Secure Renegotiation IS supported
              Compression: NONE
              Expansion: NONE
              SSL-Session:
              Protocol : TLSv1
              Cipher : ADH-CAMELLIA256-SHA
              Session-ID:
              529930B248631D96104E50F76D4AAF7FCFD8E5124544B833269EE5DFC09344A8
              Session-ID-ctx:
              Master-Key:
              C33D50C6779F9BCD8B0C0E65C2721C14C6ADAEBCFC515E6D5142D76B69A9C288C094E864DEBC7E26E2B7EC9483058DC3
              Key-Arg : None
              TLS session ticket lifetime hint: 3600 (seconds)
              TLS session ticket:
              0000 - 96 b2 04 fd 61 08 c8 84-6c 9a b7 1f 1a 72 ce c7 ....a...l....r..
              0010 - e8 10 16 bc b8 df a3 3a-df b8 07 89 e6 9d 35 2f .......:......5/
              0020 - 6e 57 7f ec 00 c8 9e 46-61 78 17 b0 21 fa e9 f4 nW.....Fax..!...
              0030 - d7 e1 e3 78 7c 90 f6 29-91 52 7b aa 85 e3 d4 d0 ...x|..).R{.....
              0040 - 85 5e 35 9f 00 80 d1 4b-ef f9 36 7c 78 07 d3 6e .^5....K..6|x..n
              0050 - bb 84 5c 5c 8c 95 e8 87-01 19 4b 86 b7 ef 39 3b ..\\......K...9;
              0060 - 16 fc 63 ab 80 8b d7 e1-6a 2a 82 41 36 c0 7f e7 ..c.....j*.A6...
              0070 - 50 14 53 52 66 45 64 80-05 7e c4 1e 68 86 ed 03 P.SRfEd..~..h...
              0080 - a9 24 eb 7c c0 34 35 cc-de 3a 48 b6 5b dd 9c d0 .$.|.45..:H.[...
              0090 - 63 8a a8 f5 bd e2 9d 2a-3d 07 46 69 4e 95 ba e0 c......*=.FiN...

              Start Time: 1373542887
              Timeout : 300 (sec)
              Verify return code: 0 (ok)
              ---
              250 DSN
              quit
              221 2.0.0 Bye
              SSL3 alert read:warning:close notify
              closed
              SSL3 alert write:warning:close notify


              $ openssl s_client -no_ssl2 -reconnect -starttls smtp -state -cipher \
              "ALL:+RC4:@STRENGTH" -connect server.example.com:25
              CONNECTED(00000003)
              SSL_connect:before/connect initialization
              SSL_connect:SSLv2/v3 write client hello A
              SSL_connect:SSLv3 read server hello A
              SSL_connect:SSLv3 read server key exchange A
              SSL_connect:SSLv3 read server done A
              SSL_connect:SSLv3 write client key exchange A
              SSL_connect:SSLv3 write change cipher spec A
              SSL_connect:SSLv3 write finished A
              SSL_connect:SSLv3 flush data
              SSL_connect:SSLv3 read server session ticket A
              SSL_connect:SSLv3 read finished A
              ---
              no peer certificate available
              ---
              No client certificate CA names sent
              ---
              SSL handshake has read 809 bytes and written 357 bytes
              ---
              New, TLSv1/SSLv3, Cipher is ADH-CAMELLIA256-SHA
              Secure Renegotiation IS supported
              Compression: NONE
              Expansion: NONE
              SSL-Session:
              Protocol : TLSv1
              Cipher : ADH-CAMELLIA256-SHA
              Session-ID:
              6045DD9D47E47B91DD6B0E4794A26B770B2CBD49FC07941801FCE44B263EDD32
              Session-ID-ctx:
              Master-Key:
              F8A4F1FA9D252189FEA4ACE3CC60AA1525B3FDC84258A578D3373DC48446C50857E34F2AA7947C1BA56169A36D33ADBC
              Key-Arg : None
              TLS session ticket lifetime hint: 3600 (seconds)
              TLS session ticket:
              0000 - 96 b2 04 fd 61 08 c8 84-6c 9a b7 1f 1a 72 ce c7 ....a...l....r..
              0010 - d9 1f 0d e0 e5 cf 97 d5-cf 57 0c 74 a1 c9 ce 89 .........W.t....
              0020 - 62 2a 05 9b de c7 ac 75-22 42 be 4f 1c 08 fe 5d b*.....u"B.O...]
              0030 - 8a 6b 81 51 34 08 ae 98-07 11 4c 37 4a a7 37 58 .k.Q4.....L7J.7X
              0040 - 46 86 00 f4 11 71 82 74-df 84 b3 56 36 08 98 ed F....q.t...V6...
              0050 - d9 65 ea 27 08 3a 76 17-c8 45 9e ea cd e3 c8 fd .e.'.:v..E......
              0060 - 39 4b a0 00 38 1e 92 b8-86 c2 ef 69 cb 4d 37 84 9K..8......i.M7.
              0070 - 0c c4 83 a0 e9 06 fb 4c-41 c4 0d f6 ae d5 ac df .......LA.......
              0080 - ac 0b da 49 f7 c2 d0 89-12 f1 14 8c 3e fa 5e e3 ...I........>.^.
              0090 - 72 ea 32 35 84 81 d1 d0-09 99 a7 07 01 51 22 32 r.25.........Q"2

              Start Time: 1373542938
              Timeout : 300 (sec)
              Verify return code: 0 (ok)
              ---
              250 DSN
              drop connection and then reconnect
              SSL3 alert write:warning:close notify
              CONNECTED(00000003)
              SSL_connect:before/connect initialization
              SSL_connect:SSLv3 write client hello A
              SSL3 alert write:fatal:protocol version
              SSL_connect:error in SSLv3 read server hello A
              13820:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
              number:s3_pkt.c:281:

              $ openssl s_client -reconnect -starttls smtp -state -cipher \
              "ALL:+RC4:@STRENGTH" -connect server.example.com:25
              CONNECTED(00000003)
              SSL_connect:before/connect initialization
              SSL_connect:SSLv2/v3 write client hello A
              SSL_connect:SSLv3 read server hello A
              SSL_connect:SSLv3 read server key exchange A
              SSL_connect:SSLv3 read server done A
              SSL_connect:SSLv3 write client key exchange A
              SSL_connect:SSLv3 write change cipher spec A
              SSL_connect:SSLv3 write finished A
              SSL_connect:SSLv3 flush data
              SSL_connect:SSLv3 read finished A
              ---
              no peer certificate available
              ---
              No client certificate CA names sent
              ---
              SSL handshake has read 662 bytes and written 399 bytes
              ---
              New, TLSv1/SSLv3, Cipher is ADH-CAMELLIA256-SHA
              Secure Renegotiation IS supported
              Compression: NONE
              Expansion: NONE
              SSL-Session:
              Protocol : TLSv1
              Cipher : ADH-CAMELLIA256-SHA
              Session-ID:
              D8F5612DC8223BD03F59499CA8FD077ECD114B0C5789C539FD5A6CEB9F9A1157
              Session-ID-ctx:
              Master-Key:
              A787859EB40241766A031D000C6213608438B83F3DE3B607483CA6522C37ECED299526BA6A33F7C8D06D28CBE06F4489
              Key-Arg : None
              Start Time: 1373543023
              Timeout : 300 (sec)
              Verify return code: 0 (ok)
              ---
              250 DSN
              drop connection and then reconnect
              SSL3 alert write:warning:close notify
              CONNECTED(00000003)
              SSL_connect:before/connect initialization
              SSL_connect:SSLv3 write client hello A
              SSL3 alert write:fatal:protocol version
              SSL_connect:error in SSLv3 read server hello A
              13869:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
              number:s3_pkt.c:281:



              > What O/S is the server running? Does it have OpenSSL-0.9.9-dev?

              Ubuntu 12.04 LTS
              libssl1.0.0 1.0.1-4ubunu5.10
              openssl 1.0.1-4ubuntu5.10

              Thanks for your help.
              Best regards.
              Stefan
            • Viktor Dukhovni
              ... Unfortunately, the reconnect code in s_client (at least with 0.9.8j) forgets to do SMTP STARTTLS , so this fails because 220 hostname is not an SSL
              Message 6 of 10 , Jul 11, 2013
              • 0 Attachment
                On Thu, Jul 11, 2013 at 01:47:09PM +0200, Stefan Jakobs wrote:

                > $ openssl s_client -no_ssl2 -reconnect -starttls smtp -state -cipher \
                > "ALL:+RC4:@STRENGTH" -connect server.example.com:25
                > 250 DSN
                > drop connection and then reconnect
                > SSL3 alert write:warning:close notify
                > CONNECTED(00000003)
                > SSL_connect:before/connect initialization
                > SSL_connect:SSLv3 write client hello A
                > SSL3 alert write:fatal:protocol version
                > SSL_connect:error in SSLv3 read server hello A
                > 13820:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
                > number:s3_pkt.c:281:

                Unfortunately, the "reconnect" code in s_client (at least with
                0.9.8j) forgets to do SMTP "STARTTLS", so this fails because
                "220 hostname" is not an SSL server HELO.

                A better diagnostic utility is available with the latest Postfix
                2.11 snapshot. You don't need to install it (no need to upgrade
                to Postfix 2.11), just compile postfix-2.11-20130710 with TLS
                support and run:

                ./bin/posttls-finger -p "" -lmay -Lsummary,cache,debug -r 1 \
                "[status.rus.uni-stuttgart.de]"

                This will report more useful results.

                > > What O/S is the server running? Does it have OpenSSL-0.9.9-dev?
                >
                > Ubuntu 12.04 LTS
                > libssl1.0.0 1.0.1-4ubunu5.10
                > openssl 1.0.1-4ubuntu5.10

                I don't see anything wrong with the server's response in the packet
                capture, it does however send a session ticket, perhaps this gives
                0.9.8j indigestion. It is however possible that something subtle

                Since your Postfix client does not disable SSLv2 (it really should),
                initial handshakes can't use TLS extensions, and so the server
                sends no session tickets. With resumed sessions, the client
                indicates session ticket support, and the server sends a session
                ticket, so this may explain why your client can't complete the
                handshake intermittently.

                Upgrading to a more recent OpenSSL release on the client is highly
                recommended, probably 0.9.8y to maintain binary compatibility with
                0.9.8j. You could also compile and link Postfix with OpenSSL
                1.0.1e, installed in some suitable location where its header files
                won't get in the way of other applications that should be linked
                with 0.9.8* (can't say 0.9.8x for a generic patch, that's an actual
                release).

                The simplest work-around for the problem is to disable TLSv1 on
                your 0.9.8j machine, since it seems to not handle the session
                ticket extension correctly. This is not a long-term fix, you
                really should upgrade to 0.9.8y or later, which likely does not
                have this problem.

                main.cf:
                # Disable SSLv2 and TLSv1, the latter until session ticket
                # support works in the local SSL library.
                #
                smtp_tls_protocols = !SSLv2, !TLSv1
                smtp_tls_mandatory_protocols = !SSLv2, !TLSv1

                --
                Viktor.
              • Viktor Dukhovni
                ... Fix reported in 2008, not yet applied: https://rt.openssl.org/Ticket/Display.html?id=1766&user=guest&pass=guest I ve posted a further simplified patch to
                Message 7 of 10 , Jul 11, 2013
                • 0 Attachment
                  On Thu, Jul 11, 2013 at 01:48:01PM +0000, Viktor Dukhovni wrote:

                  > Unfortunately, the "reconnect" code in s_client (at least with
                  > 0.9.8j) forgets to do SMTP "STARTTLS", so this fails because
                  > "220 hostname" is not an SSL server HELO.

                  Fix reported in 2008, not yet applied:

                  https://rt.openssl.org/Ticket/Display.html?id=1766&user=guest&pass=guest

                  I've posted a further simplified patch to openssl-users, perhaps it will
                  be adopted this time (in the next iteration of 1.0.1, ...).

                  --
                  Viktor.
                • Stefan Jakobs
                  ... $ posttls-finger -p -lmay -Lsummary,cache,debug -r 1 [aa.bb.cc.dd] posttls-finger: initializing the client-side TLS engine posttls-finger: Connected
                  Message 8 of 10 , Jul 11, 2013
                  • 0 Attachment
                    Viktor Dukhovni wrote:
                    > On Thu, Jul 11, 2013 at 01:47:09PM +0200, Stefan Jakobs wrote:
                    > > $ openssl s_client -no_ssl2 -reconnect -starttls smtp -state -cipher \
                    > >
                    > > "ALL:+RC4:@STRENGTH" -connect server.example.com:25
                    > >
                    > > 250 DSN
                    > > drop connection and then reconnect
                    > > SSL3 alert write:warning:close notify
                    > > CONNECTED(00000003)
                    > > SSL_connect:before/connect initialization
                    > > SSL_connect:SSLv3 write client hello A
                    > > SSL3 alert write:fatal:protocol version
                    > > SSL_connect:error in SSLv3 read server hello A
                    > > 13820:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
                    >
                    > > number:s3_pkt.c:281:
                    > Unfortunately, the "reconnect" code in s_client (at least with
                    > 0.9.8j) forgets to do SMTP "STARTTLS", so this fails because
                    > "220 hostname" is not an SSL server HELO.
                    >
                    > A better diagnostic utility is available with the latest Postfix
                    > 2.11 snapshot. You don't need to install it (no need to upgrade
                    > to Postfix 2.11), just compile postfix-2.11-20130710 with TLS
                    > support and run:
                    >
                    > ./bin/posttls-finger -p "" -lmay -Lsummary,cache,debug -r 1 \
                    > "[server.example.com]"
                    >
                    > This will report more useful results.

                    $ posttls-finger -p "" -lmay -Lsummary,cache,debug -r 1 "[aa.bb.cc.dd]"
                    posttls-finger: initializing the client-side TLS engine
                    posttls-finger: Connected to aa.bb.cc.dd[aa.bb.cc.dd]:25
                    posttls-finger: < 220 server.example.com ESMTP Postfix (Ubuntu)
                    posttls-finger: > EHLO client.example.com
                    posttls-finger: < 250-server.example.com
                    posttls-finger: < 250-PIPELINING
                    posttls-finger: < 250-SIZE 10240000
                    posttls-finger: < 250-VRFY
                    posttls-finger: < 250-ETRN
                    posttls-finger: < 250-STARTTLS
                    posttls-finger: < 250-ENHANCEDSTATUSCODES
                    posttls-finger: < 250-8BITMIME
                    posttls-finger: < 250 DSN
                    posttls-finger: > STARTTLS
                    posttls-finger: < 220 2.0.0 Ready to start TLS
                    posttls-finger: setting up TLS connection to aa.bb.cc.dd[aa.bb.cc.dd]:25
                    posttls-finger: aa.bb.cc.dd[aa.bb.cc.dd]:25: TLS cipher list
                    "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!eNULL"
                    posttls-finger: looking for session
                    [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
                    in memory cache
                    posttls-finger: SSL_connect:before/connect initialization
                    posttls-finger: SSL_connect:SSLv2/v3 write client hello A
                    posttls-finger: SSL_connect:SSLv3 read server hello A
                    posttls-finger: SSL_connect:SSLv3 read server key exchange A
                    posttls-finger: SSL_connect:SSLv3 read server done A
                    posttls-finger: SSL_connect:SSLv3 write client key exchange A
                    posttls-finger: SSL_connect:SSLv3 write change cipher spec A
                    posttls-finger: SSL_connect:SSLv3 write finished A
                    posttls-finger: SSL_connect:SSLv3 flush data
                    posttls-finger: SSL_connect:SSLv3 read finished A
                    posttls-finger: save session
                    [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
                    to memory cache
                    posttls-finger: Untrusted TLS connection established to
                    aa.bb.cc.dd[aa.bb.cc.dd]:25: TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256
                    bits)
                    posttls-finger: > EHLO client.example.com
                    posttls-finger: < 250-server.example.com
                    posttls-finger: < 250-PIPELINING
                    posttls-finger: < 250-SIZE 10240000
                    posttls-finger: < 250-VRFY
                    posttls-finger: < 250-ETRN
                    posttls-finger: < 250-ENHANCEDSTATUSCODES
                    posttls-finger: < 250-8BITMIME
                    posttls-finger: < 250 DSN
                    posttls-finger: Server is anonymous
                    posttls-finger: > QUIT
                    posttls-finger: < 221 2.0.0 Bye
                    posttls-finger: Reconnecting after 1 seconds
                    posttls-finger: < 220 server.example.com ESMTP Postfix (Ubuntu)
                    posttls-finger: looking for session
                    [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
                    in memory cache
                    posttls-finger: reloaded session
                    [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
                    from memory cache
                    posttls-finger: SSL_connect:before/connect initialization
                    posttls-finger: SSL_connect:SSLv3 write client hello A
                    posttls-finger: SSL_connect:SSLv3 read server hello A
                    posttls-finger: SSL3 alert write:fatal:unexpected_message
                    posttls-finger: SSL_connect:error in SSLv3 read finished A
                    posttls-finger: SSL_connect error to aa.bb.cc.dd[aa.bb.cc.dd]:25: -1
                    posttls-finger: warning: TLS library problem: 18630:error:1408E0F4:SSL
                    routines:SSL3_GET_MESSAGE:unexpected message:s3_both.c:463:
                    posttls-finger: remove session
                    [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
                    from client cache

                    [...]

                    > The simplest work-around for the problem is to disable TLSv1 on
                    > your 0.9.8j machine, since it seems to not handle the session
                    > ticket extension correctly. This is not a long-term fix, you
                    > really should upgrade to 0.9.8y or later, which likely does not
                    > have this problem.
                    >
                    > main.cf:
                    > # Disable SSLv2 and TLSv1, the latter until session ticket
                    > # support works in the local SSL library.
                    > #
                    > smtp_tls_protocols = !SSLv2, !TLSv1
                    > smtp_tls_mandatory_protocols = !SSLv2, !TLSv1

                    I would assume that I can test it with s_client:

                    $ openssl s_client -no_ssl2 -no_tls1 -starttls smtp -state \
                    -cipher "ALL:+RC4:@STRENGTH" -connect server.example.com:25
                    CONNECTED(00000003)
                    SSL_connect:before/connect initialization
                    SSL_connect:SSLv2/v3 write client hello A
                    SSL_connect:SSLv3 read server hello A
                    SSL_connect:SSLv3 read server key exchange A
                    SSL_connect:SSLv3 read server done A
                    SSL_connect:SSLv3 write client key exchange A
                    SSL_connect:SSLv3 write change cipher spec A
                    SSL_connect:SSLv3 write finished A
                    SSL_connect:SSLv3 flush data
                    SSL_connect:SSLv3 read finished A
                    ---
                    no peer certificate available
                    ---
                    No client certificate CA names sent
                    ---
                    SSL handshake has read 678 bytes and written 367 bytes
                    ---
                    New, TLSv1/SSLv3, Cipher is ADH-CAMELLIA256-SHA
                    Secure Renegotiation IS supported
                    Compression: NONE
                    Expansion: NONE
                    SSL-Session:
                    Protocol : SSLv3
                    Cipher : ADH-CAMELLIA256-SHA
                    Session-ID:
                    5571064B85701985126070CC097D5A60F6FBBD734A6F8F26615201AE0C814E1B
                    Session-ID-ctx:
                    Master-Key:
                    11CFEC1AD95BF4EA508C89E42147C9292F29F9E3630654818B99FADD349A6C9D64419A6802A09345A4008FA0F0180372
                    Key-Arg : None
                    Start Time: 1373554327
                    Timeout : 300 (sec)
                    Verify return code: 0 (ok)
                    ---
                    250 DSN
                    quit
                    221 2.0.0 Bye
                    SSL3 alert read:warning:close notify
                    closed
                    SSL3 alert write:warning:close notify

                    $ openssl s_client -no_ssl2 -no_tls1 -reconnect -starttls smtp -state \
                    -cipher "ALL:+RC4:@STRENGTH" -connect server.example.com:25
                    CONNECTED(00000003)
                    SSL_connect:before/connect initialization
                    SSL_connect:SSLv2/v3 write client hello A
                    SSL_connect:SSLv3 read server hello A
                    SSL_connect:SSLv3 read server key exchange A
                    SSL_connect:SSLv3 read server done A
                    SSL_connect:SSLv3 write client key exchange A
                    SSL_connect:SSLv3 write change cipher spec A
                    SSL_connect:SSLv3 write finished A
                    SSL_connect:SSLv3 flush data
                    SSL_connect:SSLv3 read finished A
                    ---
                    no peer certificate available
                    ---
                    No client certificate CA names sent
                    ---
                    SSL handshake has read 678 bytes and written 367 bytes
                    ---
                    New, TLSv1/SSLv3, Cipher is ADH-CAMELLIA256-SHA
                    Secure Renegotiation IS supported
                    Compression: NONE
                    Expansion: NONE
                    SSL-Session:
                    Protocol : SSLv3
                    Cipher : ADH-CAMELLIA256-SHA
                    Session-ID:
                    5D7EA9F0C04B877E3AAFBEB75A12DAF4012693344BBBB5624DD3C1DC3836C34C
                    Session-ID-ctx:
                    Master-Key:
                    E6CF20A96E3C6C9800825897A09B06F37F03B06454A6BF8ADEE3935BE9FA0B1B2085EA919D07AFB167588FF042D70810
                    Key-Arg : None
                    Start Time: 1373554331
                    Timeout : 300 (sec)
                    Verify return code: 0 (ok)
                    ---
                    250 DSN
                    drop connection and then reconnect
                    SSL3 alert write:warning:close notify
                    CONNECTED(00000003)
                    SSL_connect:before/connect initialization
                    SSL_connect:SSLv3 write client hello A
                    SSL3 alert write:fatal:handshake failure
                    SSL_connect:error in SSLv3 read server hello A
                    21731:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
                    number:s3_pkt.c:281:


                    But, there's still the error.

                    Best regards
                    Stefan
                  • Viktor Dukhovni
                    ... This tells the whole story, the client does not expect to see a session ticket with a resumed session, it expectts finished instead. It is I believe
                    Message 9 of 10 , Jul 11, 2013
                    • 0 Attachment
                      On Thu, Jul 11, 2013 at 04:55:00PM +0200, Stefan Jakobs wrote:

                      > > > SSL_connect:error in SSLv3 read server hello A
                      > > > 13820:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
                      > >
                      > > > number:s3_pkt.c:281:
                      > >
                      > > Unfortunately, the "reconnect" code in s_client (at least with
                      > > 0.9.8j) forgets to do SMTP "STARTTLS", so this fails because
                      > > "220 hostname" is not an SSL server HELO.
                      > >
                      > > A better diagnostic utility is available with the latest Postfix
                      > > 2.11 snapshot. You don't need to install it (no need to upgrade
                      > > to Postfix 2.11), just compile postfix-2.11-20130710 with TLS
                      > > support and run:
                      > >
                      > > ./bin/posttls-finger -p "" -lmay -Lsummary,cache,debug -r 1 \
                      > > "[server.example.com]"
                      > >
                      > > This will report more useful results.
                      >
                      > $ posttls-finger -p "" -lmay -Lsummary,cache,debug -r 1 "[aa.bb.cc.dd]"
                      > posttls-finger: initializing the client-side TLS engine
                      > posttls-finger: Connected to aa.bb.cc.dd[aa.bb.cc.dd]:25
                      > posttls-finger: < 220 server.example.com ESMTP Postfix (Ubuntu)
                      > posttls-finger: > STARTTLS
                      > posttls-finger: < 220 2.0.0 Ready to start TLS
                      > posttls-finger: setting up TLS connection to aa.bb.cc.dd[aa.bb.cc.dd]:25
                      > posttls-finger: aa.bb.cc.dd[aa.bb.cc.dd]:25: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!eNULL"
                      > posttls-finger: SSL_connect:before/connect initialization
                      > posttls-finger: SSL_connect:SSLv2/v3 write client hello A
                      > posttls-finger: SSL_connect:SSLv3 read server hello A
                      > posttls-finger: SSL_connect:SSLv3 read server key exchange A
                      > posttls-finger: SSL_connect:SSLv3 read server done A
                      > posttls-finger: SSL_connect:SSLv3 write client key exchange A
                      > posttls-finger: SSL_connect:SSLv3 write change cipher spec A
                      > posttls-finger: SSL_connect:SSLv3 write finished A
                      > posttls-finger: SSL_connect:SSLv3 flush data
                      > posttls-finger: SSL_connect:SSLv3 read finished A
                      > posttls-finger: save session [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3 to memory cache
                      > posttls-finger: Untrusted TLS connection established to
                      > aa.bb.cc.dd[aa.bb.cc.dd]:25: TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)
                      > posttls-finger: Reconnecting after 1 seconds
                      > posttls-finger: < 220 server.example.com ESMTP Postfix (Ubuntu)
                      > posttls-finger: looking for session [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3 in memory cache
                      > posttls-finger: reloaded session [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3 from memory cache
                      > posttls-finger: SSL_connect:before/connect initialization
                      > posttls-finger: SSL_connect:SSLv3 write client hello A
                      > posttls-finger: SSL_connect:SSLv3 read server hello A
                      > posttls-finger: SSL3 alert write:fatal:unexpected_message
                      > posttls-finger: SSL_connect:error in SSLv3 read finished A
                      > posttls-finger: SSL_connect error to aa.bb.cc.dd[aa.bb.cc.dd]:25: -1
                      > posttls-finger: warning: TLS library problem: 18630:error:1408E0F4:SSL
                      > routines:SSL3_GET_MESSAGE:unexpected message:s3_both.c:463:
                      > posttls-finger: remove session [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3 from client cache

                      This tells the whole story, the client does not expect to see a
                      session ticket with a resumed session, it expectts "finished"
                      instead. It is I believe valid for a server to return a session
                      ticket even with a resumed session.

                      So 0.9.8j does not implement session tickets correctly. With Postfix
                      2.11 you can add:

                      tls_ssl_options = NO_TICKET

                      to main.cf to work-around this specific problem, without disabling
                      TLSv1, but I would upgrade to the latest OpenSSL release instead.
                      Install an updated OpenSSL library from SuSE.

                      > > The simplest work-around for the problem is to disable TLSv1 on
                      > > your 0.9.8j machine, since it seems to not handle the session
                      > > ticket extension correctly. This is not a long-term fix, you
                      > > really should upgrade to 0.9.8y or later, which likely does not
                      > > have this problem.
                      > >
                      > > main.cf:
                      > > # Disable SSLv2 and TLSv1, the latter until session ticket
                      > > # support works in the local SSL library.
                      > > #
                      > > smtp_tls_protocols = !SSLv2, !TLSv1
                      > > smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
                      >
                      > I would assume that I can test it with s_client:

                      I will repeat myself (text you quoted in your reply):

                      > > Unfortunately, the "reconnect" code in s_client (at least with
                      > > 0.9.8j) forgets to do SMTP "STARTTLS", so this fails because
                      > > "220 hostname" is not an SSL server HELO.

                      Therefore, no, you can't test this with an unpatched s_client(1).

                      > drop connection and then reconnect

                      Because reconnect is broken with starttls.

                      > SSL3 alert write:warning:close notify
                      > CONNECTED(00000003)
                      > SSL_connect:before/connect initialization
                      > SSL_connect:SSLv3 write client hello A
                      > SSL3 alert write:fatal:handshake failure
                      > SSL_connect:error in SSLv3 read server hello A
                      > 21731:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
                      > number:s3_pkt.c:281:
                      >
                      > But, there's still the error.

                      As expected.

                      --
                      Viktor.
                    Your message has been successfully submitted and would be delivered to recipients shortly.