Loading ...
Sorry, an error occurred while loading the content.

Re: SSL3_GET_MESSAGE:unexpected message

Expand Messages
  • Stefan Jakobs
    ... Unfortunately this server is not on public internet. ... I attached a full trace with a successful TLS session, an unsuccessful TLS session and the
    Message 1 of 10 , Jul 10, 2013
    • 0 Attachment
      Viktor Dukhovni wrote:
      > On Tue, Jul 09, 2013 at 04:10:31PM +0200, Stefan Jakobs wrote:
      > > postfix/smtp[8106]: setting up TLS connection to
      > > server.example.com[a.b.c.d]:25
      > > postfix/smtp[8106]: SSL_connect error to server.example.com[a.b.c.d]:25:
      > > -1 postfix/smtp[8106]: warning: TLS library problem:
      > > 8106:error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected
      > > message:s3_both.c:463:
      > If this server is on the public Internet and if at all possible,
      > please post its IP address. Otherwise you'll have to do most of
      > the sleuthing on your own.

      Unfortunately this server is not on public internet.

      > The client received an unexpected handshake message. You need to
      > obtain a full packet PCAP capture of the session, and decode it
      > as SSL via wireshark or similar. That may tell you what's unusual
      > about the server's response.

      I attached a full trace with a successful TLS session, an unsuccessful TLS
      session and the following fallback to a clear session.
      The trace looks wrong. I'm not sure I decrypted it proper.

      > OpenSSL on your client seems to be 0.9.8, can you report which
      > version?

      Yes, you're right. It is: openssl-0.9.8j

      > > But there are also logs which say that it works:
      > >
      > > postfix/smtp[4527]: setting up TLS connection to
      > > server.example.com[a.b.c.d]:25
      > > postfix/smtp[4527]: Untrusted TLS connection established to
      > > server.example.com[a.b.c.d]:25: TLSv1 with cipher ADH-CAMELLIA256-SHA
      > > (256/256 bits)
      >
      > Rather odd that CAMELLIA got chosen over AES.
      >
      > > Connecting with s_client results in the following:
      > > # openssl s_client -starttls smtp -verify 10 -connect
      > > server.example.com:25
      > >
      > > SSL-Session:
      > > Protocol : TLSv1
      > > Cipher : DHE-RSA-AES256-SHA
      > > Session-ID: ...
      > > Session-ID-ctx:
      > > Master-Key: ...
      > > Key-Arg : None
      > > Start Time: 1373378631
      > > Timeout : 300 (sec)
      > > Verify return code: 18 (self signed certificate)
      >
      > What happens when you use the Postfix client cipherlist?
      >
      > ALL:+RC4:@STRENGTH
      >
      > # openssl s_client -state -cipher "ALL:+RC4:@STRENGTH" \
      > -starttls smtp -connect server.example.com:25
      >
      > Try it a few times, ... add "-msg" if the failure is observed, but the
      > reason is not more apparent.

      I tried it many times, but I can't produce that SSL error. I always get the
      following:

      # openssl s_client -starttls smtp -state -cipher "ALL:+RC4:@STRENGTH" -connect
      server.example.com:25
      CONNECTED(00000003)
      SSL_connect:before/connect initialization
      SSL_connect:SSLv2/v3 write client hello A
      SSL_connect:SSLv3 read server hello A
      SSL_connect:SSLv3 read server key exchange A
      SSL_connect:SSLv3 read server done A
      SSL_connect:SSLv3 write client key exchange A
      SSL_connect:SSLv3 write change cipher spec A
      SSL_connect:SSLv3 write finished A
      SSL_connect:SSLv3 flush data
      SSL_connect:SSLv3 read finished A
      ---
      no peer certificate available
      ---
      No client certificate CA names sent
      ---
      SSL handshake has read 662 bytes and written 399 bytes
      ---
      New, TLSv1/SSLv3, Cipher is ADH-CAMELLIA256-SHA
      Secure Renegotiation IS supported
      Compression: NONE
      Expansion: NONE
      SSL-Session:
      Protocol : TLSv1
      Cipher : ADH-CAMELLIA256-SHA
      Session-ID:
      A69CEAAEC18CB1D2BBCDB0AA464A4A9B850A706F84FC1DCFF6C9073833F2E24D
      Session-ID-ctx:
      Master-Key:
      53109E2701F7A9BF21D95747ECD17EFFAFFC7D9E8ADFA5A63DED08293C0320897C15A35E6566FB9B776D29F78ADDCF4F
      Key-Arg : None
      Start Time: 1373469498
      Timeout : 300 (sec)
      Verify return code: 0 (ok)
      ---
      250 DSN

      BTW: server.example.com uses a self-signed snake-oil certificate.

      Thanks for your help.
      Best regards
      Stefan
    • Viktor Dukhovni
      ... The capture file includes only the packets to the SMTP server, none of the replies. So this is not usable. Please capture both sides of the traffic. If
      Message 2 of 10 , Jul 10, 2013
      • 0 Attachment
        On Wed, Jul 10, 2013 at 05:21:38PM +0200, Stefan Jakobs wrote:

        > I attached a full trace with a successful TLS session, an unsuccessful TLS
        > session and the following fallback to a clear session.
        > The trace looks wrong. I'm not sure I decrypted it proper.

        The capture file includes only the packets to the SMTP server, none
        of the replies. So this is not usable. Please capture both sides
        of the traffic. If on a multi-homed host, set smtp_bind_address
        to the IP address of the interface on which the reply packets will
        return.

        > > OpenSSL on your client seems to be 0.9.8, can you report which
        > > version?
        >
        > Yes, you're right. It is: openssl-0.9.8j

        This has additional patches from your distribution. What O/S are you
        running?

        > > > postfix/smtp[4527]: Untrusted TLS connection established to
        > > > server.example.com[a.b.c.d]:25: TLSv1 with cipher ADH-CAMELLIA256-SHA
        > > > (256/256 bits)
        > >
        > > Rather odd that CAMELLIA got chosen over AES.
        > >
        > > What happens when you use the Postfix client cipherlist?
        > >
        > > ALL:+RC4:@STRENGTH
        > >
        > > # openssl s_client -state -cipher "ALL:+RC4:@STRENGTH" \
        > > -starttls smtp -connect server.example.com:25
        > >
        > > Try it a few times, ... add "-msg" if the failure is observed, but the
        > > reason is not more apparent.
        >
        > I tried it many times, but I can't produce that SSL error. I always get the
        > following:
        >
        > # openssl s_client -starttls smtp -state -cipher "ALL:+RC4:@STRENGTH" -connect server.example.com:25
        > CONNECTED(00000003)
        > SSL_connect:before/connect initialization
        > SSL_connect:SSLv2/v3 write client hello A
        > SSL_connect:SSLv3 read server hello A
        > SSL_connect:SSLv3 read server key exchange A
        > SSL_connect:SSLv3 read server done A
        > SSL_connect:SSLv3 write client key exchange A
        > SSL_connect:SSLv3 write change cipher spec A
        > SSL_connect:SSLv3 write finished A
        > SSL_connect:SSLv3 flush data
        > SSL_connect:SSLv3 read finished A
        > ---
        > New, TLSv1/SSLv3, Cipher is ADH-CAMELLIA256-SHA

        Good, now we're getting the same ciphersuite as with Postfix. Try
        again with SSLv2 disabled, which will enable TLS extensions.

        # openssl s_client -no_ssl2 -starttls smtp -state \
        -cipher "ALL:+RC4:@STRENGTH" -connect server.example.com:25

        Try a few times and report the results. Session re-use may be a factor
        in this so you may need to enable session caching in s_client, so if the
        above does not trigger any problems, try with:

        # openssl s_client -reconnect -no_ssl2 -starttls smtp \
        -state -cipher "ALL:+RC4:@STRENGTH" -connect server.example.com:25

        This may explain why Postfix connections sometimes succeed and fail
        at other times (perhaps even alternate between success and failure),
        when handshakes fail, the associated session is flushed from the cache.

        What O/S is the server running? Does it have OpenSSL-0.9.9-dev?

        --
        Viktor.
      • Stefan Jakobs
        ... OK, next try. See attachment. ... SUSE Enterprise Linux 11 SP2 [...] ... $ openssl s_client -no_ssl2 -starttls smtp -state -cipher ALL:+RC4:@STRENGTH
        Message 3 of 10 , Jul 11, 2013
        • 0 Attachment
          Am Mittwoch, 10. Juli 2013, 18:32:32 schrieb Viktor Dukhovni:
          > On Wed, Jul 10, 2013 at 05:21:38PM +0200, Stefan Jakobs wrote:
          > > I attached a full trace with a successful TLS session, an unsuccessful TLS
          > > session and the following fallback to a clear session.
          > > The trace looks wrong. I'm not sure I decrypted it proper.
          >
          > The capture file includes only the packets to the SMTP server, none
          > of the replies. So this is not usable. Please capture both sides
          > of the traffic. If on a multi-homed host, set smtp_bind_address
          > to the IP address of the interface on which the reply packets will
          > return.

          OK, next try. See attachment.

          > > > OpenSSL on your client seems to be 0.9.8, can you report which
          > > > version?
          > >
          > > Yes, you're right. It is: openssl-0.9.8j
          >
          > This has additional patches from your distribution. What O/S are you
          > running?

          SUSE Enterprise Linux 11 SP2

          [...]
          >
          > Good, now we're getting the same ciphersuite as with Postfix. Try
          > again with SSLv2 disabled, which will enable TLS extensions.
          >
          > # openssl s_client -no_ssl2 -starttls smtp -state \
          > -cipher "ALL:+RC4:@STRENGTH" -connect server.example.com:25
          >
          > Try a few times and report the results. Session re-use may be a factor
          > in this so you may need to enable session caching in s_client, so if the
          > above does not trigger any problems, try with:
          >
          > # openssl s_client -reconnect -no_ssl2 -starttls smtp \
          > -state -cipher "ALL:+RC4:@STRENGTH" -connect server.example.com:25
          >
          > This may explain why Postfix connections sometimes succeed and fail
          > at other times (perhaps even alternate between success and failure),
          > when handshakes fail, the associated session is flushed from the cache.

          $ openssl s_client -no_ssl2 -starttls smtp -state -cipher \
          "ALL:+RC4:@STRENGTH" -connect server.example.com:25
          CONNECTED(00000003)
          SSL_connect:before/connect initialization
          SSL_connect:SSLv2/v3 write client hello A
          SSL_connect:SSLv3 read server hello A
          SSL_connect:SSLv3 read server key exchange A
          SSL_connect:SSLv3 read server done A
          SSL_connect:SSLv3 write client key exchange A
          SSL_connect:SSLv3 write change cipher spec A
          SSL_connect:SSLv3 write finished A
          SSL_connect:SSLv3 flush data
          SSL_connect:SSLv3 read server session ticket A
          SSL_connect:SSLv3 read finished A
          ---
          no peer certificate available
          ---
          No client certificate CA names sent
          ---
          SSL handshake has read 809 bytes and written 357 bytes
          ---
          New, TLSv1/SSLv3, Cipher is ADH-CAMELLIA256-SHA
          Secure Renegotiation IS supported
          Compression: NONE
          Expansion: NONE
          SSL-Session:
          Protocol : TLSv1
          Cipher : ADH-CAMELLIA256-SHA
          Session-ID:
          529930B248631D96104E50F76D4AAF7FCFD8E5124544B833269EE5DFC09344A8
          Session-ID-ctx:
          Master-Key:
          C33D50C6779F9BCD8B0C0E65C2721C14C6ADAEBCFC515E6D5142D76B69A9C288C094E864DEBC7E26E2B7EC9483058DC3
          Key-Arg : None
          TLS session ticket lifetime hint: 3600 (seconds)
          TLS session ticket:
          0000 - 96 b2 04 fd 61 08 c8 84-6c 9a b7 1f 1a 72 ce c7 ....a...l....r..
          0010 - e8 10 16 bc b8 df a3 3a-df b8 07 89 e6 9d 35 2f .......:......5/
          0020 - 6e 57 7f ec 00 c8 9e 46-61 78 17 b0 21 fa e9 f4 nW.....Fax..!...
          0030 - d7 e1 e3 78 7c 90 f6 29-91 52 7b aa 85 e3 d4 d0 ...x|..).R{.....
          0040 - 85 5e 35 9f 00 80 d1 4b-ef f9 36 7c 78 07 d3 6e .^5....K..6|x..n
          0050 - bb 84 5c 5c 8c 95 e8 87-01 19 4b 86 b7 ef 39 3b ..\\......K...9;
          0060 - 16 fc 63 ab 80 8b d7 e1-6a 2a 82 41 36 c0 7f e7 ..c.....j*.A6...
          0070 - 50 14 53 52 66 45 64 80-05 7e c4 1e 68 86 ed 03 P.SRfEd..~..h...
          0080 - a9 24 eb 7c c0 34 35 cc-de 3a 48 b6 5b dd 9c d0 .$.|.45..:H.[...
          0090 - 63 8a a8 f5 bd e2 9d 2a-3d 07 46 69 4e 95 ba e0 c......*=.FiN...

          Start Time: 1373542887
          Timeout : 300 (sec)
          Verify return code: 0 (ok)
          ---
          250 DSN
          quit
          221 2.0.0 Bye
          SSL3 alert read:warning:close notify
          closed
          SSL3 alert write:warning:close notify


          $ openssl s_client -no_ssl2 -reconnect -starttls smtp -state -cipher \
          "ALL:+RC4:@STRENGTH" -connect server.example.com:25
          CONNECTED(00000003)
          SSL_connect:before/connect initialization
          SSL_connect:SSLv2/v3 write client hello A
          SSL_connect:SSLv3 read server hello A
          SSL_connect:SSLv3 read server key exchange A
          SSL_connect:SSLv3 read server done A
          SSL_connect:SSLv3 write client key exchange A
          SSL_connect:SSLv3 write change cipher spec A
          SSL_connect:SSLv3 write finished A
          SSL_connect:SSLv3 flush data
          SSL_connect:SSLv3 read server session ticket A
          SSL_connect:SSLv3 read finished A
          ---
          no peer certificate available
          ---
          No client certificate CA names sent
          ---
          SSL handshake has read 809 bytes and written 357 bytes
          ---
          New, TLSv1/SSLv3, Cipher is ADH-CAMELLIA256-SHA
          Secure Renegotiation IS supported
          Compression: NONE
          Expansion: NONE
          SSL-Session:
          Protocol : TLSv1
          Cipher : ADH-CAMELLIA256-SHA
          Session-ID:
          6045DD9D47E47B91DD6B0E4794A26B770B2CBD49FC07941801FCE44B263EDD32
          Session-ID-ctx:
          Master-Key:
          F8A4F1FA9D252189FEA4ACE3CC60AA1525B3FDC84258A578D3373DC48446C50857E34F2AA7947C1BA56169A36D33ADBC
          Key-Arg : None
          TLS session ticket lifetime hint: 3600 (seconds)
          TLS session ticket:
          0000 - 96 b2 04 fd 61 08 c8 84-6c 9a b7 1f 1a 72 ce c7 ....a...l....r..
          0010 - d9 1f 0d e0 e5 cf 97 d5-cf 57 0c 74 a1 c9 ce 89 .........W.t....
          0020 - 62 2a 05 9b de c7 ac 75-22 42 be 4f 1c 08 fe 5d b*.....u"B.O...]
          0030 - 8a 6b 81 51 34 08 ae 98-07 11 4c 37 4a a7 37 58 .k.Q4.....L7J.7X
          0040 - 46 86 00 f4 11 71 82 74-df 84 b3 56 36 08 98 ed F....q.t...V6...
          0050 - d9 65 ea 27 08 3a 76 17-c8 45 9e ea cd e3 c8 fd .e.'.:v..E......
          0060 - 39 4b a0 00 38 1e 92 b8-86 c2 ef 69 cb 4d 37 84 9K..8......i.M7.
          0070 - 0c c4 83 a0 e9 06 fb 4c-41 c4 0d f6 ae d5 ac df .......LA.......
          0080 - ac 0b da 49 f7 c2 d0 89-12 f1 14 8c 3e fa 5e e3 ...I........>.^.
          0090 - 72 ea 32 35 84 81 d1 d0-09 99 a7 07 01 51 22 32 r.25.........Q"2

          Start Time: 1373542938
          Timeout : 300 (sec)
          Verify return code: 0 (ok)
          ---
          250 DSN
          drop connection and then reconnect
          SSL3 alert write:warning:close notify
          CONNECTED(00000003)
          SSL_connect:before/connect initialization
          SSL_connect:SSLv3 write client hello A
          SSL3 alert write:fatal:protocol version
          SSL_connect:error in SSLv3 read server hello A
          13820:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
          number:s3_pkt.c:281:

          $ openssl s_client -reconnect -starttls smtp -state -cipher \
          "ALL:+RC4:@STRENGTH" -connect server.example.com:25
          CONNECTED(00000003)
          SSL_connect:before/connect initialization
          SSL_connect:SSLv2/v3 write client hello A
          SSL_connect:SSLv3 read server hello A
          SSL_connect:SSLv3 read server key exchange A
          SSL_connect:SSLv3 read server done A
          SSL_connect:SSLv3 write client key exchange A
          SSL_connect:SSLv3 write change cipher spec A
          SSL_connect:SSLv3 write finished A
          SSL_connect:SSLv3 flush data
          SSL_connect:SSLv3 read finished A
          ---
          no peer certificate available
          ---
          No client certificate CA names sent
          ---
          SSL handshake has read 662 bytes and written 399 bytes
          ---
          New, TLSv1/SSLv3, Cipher is ADH-CAMELLIA256-SHA
          Secure Renegotiation IS supported
          Compression: NONE
          Expansion: NONE
          SSL-Session:
          Protocol : TLSv1
          Cipher : ADH-CAMELLIA256-SHA
          Session-ID:
          D8F5612DC8223BD03F59499CA8FD077ECD114B0C5789C539FD5A6CEB9F9A1157
          Session-ID-ctx:
          Master-Key:
          A787859EB40241766A031D000C6213608438B83F3DE3B607483CA6522C37ECED299526BA6A33F7C8D06D28CBE06F4489
          Key-Arg : None
          Start Time: 1373543023
          Timeout : 300 (sec)
          Verify return code: 0 (ok)
          ---
          250 DSN
          drop connection and then reconnect
          SSL3 alert write:warning:close notify
          CONNECTED(00000003)
          SSL_connect:before/connect initialization
          SSL_connect:SSLv3 write client hello A
          SSL3 alert write:fatal:protocol version
          SSL_connect:error in SSLv3 read server hello A
          13869:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
          number:s3_pkt.c:281:



          > What O/S is the server running? Does it have OpenSSL-0.9.9-dev?

          Ubuntu 12.04 LTS
          libssl1.0.0 1.0.1-4ubunu5.10
          openssl 1.0.1-4ubuntu5.10

          Thanks for your help.
          Best regards.
          Stefan
        • Viktor Dukhovni
          ... Unfortunately, the reconnect code in s_client (at least with 0.9.8j) forgets to do SMTP STARTTLS , so this fails because 220 hostname is not an SSL
          Message 4 of 10 , Jul 11, 2013
          • 0 Attachment
            On Thu, Jul 11, 2013 at 01:47:09PM +0200, Stefan Jakobs wrote:

            > $ openssl s_client -no_ssl2 -reconnect -starttls smtp -state -cipher \
            > "ALL:+RC4:@STRENGTH" -connect server.example.com:25
            > 250 DSN
            > drop connection and then reconnect
            > SSL3 alert write:warning:close notify
            > CONNECTED(00000003)
            > SSL_connect:before/connect initialization
            > SSL_connect:SSLv3 write client hello A
            > SSL3 alert write:fatal:protocol version
            > SSL_connect:error in SSLv3 read server hello A
            > 13820:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
            > number:s3_pkt.c:281:

            Unfortunately, the "reconnect" code in s_client (at least with
            0.9.8j) forgets to do SMTP "STARTTLS", so this fails because
            "220 hostname" is not an SSL server HELO.

            A better diagnostic utility is available with the latest Postfix
            2.11 snapshot. You don't need to install it (no need to upgrade
            to Postfix 2.11), just compile postfix-2.11-20130710 with TLS
            support and run:

            ./bin/posttls-finger -p "" -lmay -Lsummary,cache,debug -r 1 \
            "[status.rus.uni-stuttgart.de]"

            This will report more useful results.

            > > What O/S is the server running? Does it have OpenSSL-0.9.9-dev?
            >
            > Ubuntu 12.04 LTS
            > libssl1.0.0 1.0.1-4ubunu5.10
            > openssl 1.0.1-4ubuntu5.10

            I don't see anything wrong with the server's response in the packet
            capture, it does however send a session ticket, perhaps this gives
            0.9.8j indigestion. It is however possible that something subtle

            Since your Postfix client does not disable SSLv2 (it really should),
            initial handshakes can't use TLS extensions, and so the server
            sends no session tickets. With resumed sessions, the client
            indicates session ticket support, and the server sends a session
            ticket, so this may explain why your client can't complete the
            handshake intermittently.

            Upgrading to a more recent OpenSSL release on the client is highly
            recommended, probably 0.9.8y to maintain binary compatibility with
            0.9.8j. You could also compile and link Postfix with OpenSSL
            1.0.1e, installed in some suitable location where its header files
            won't get in the way of other applications that should be linked
            with 0.9.8* (can't say 0.9.8x for a generic patch, that's an actual
            release).

            The simplest work-around for the problem is to disable TLSv1 on
            your 0.9.8j machine, since it seems to not handle the session
            ticket extension correctly. This is not a long-term fix, you
            really should upgrade to 0.9.8y or later, which likely does not
            have this problem.

            main.cf:
            # Disable SSLv2 and TLSv1, the latter until session ticket
            # support works in the local SSL library.
            #
            smtp_tls_protocols = !SSLv2, !TLSv1
            smtp_tls_mandatory_protocols = !SSLv2, !TLSv1

            --
            Viktor.
          • Viktor Dukhovni
            ... Fix reported in 2008, not yet applied: https://rt.openssl.org/Ticket/Display.html?id=1766&user=guest&pass=guest I ve posted a further simplified patch to
            Message 5 of 10 , Jul 11, 2013
            • 0 Attachment
              On Thu, Jul 11, 2013 at 01:48:01PM +0000, Viktor Dukhovni wrote:

              > Unfortunately, the "reconnect" code in s_client (at least with
              > 0.9.8j) forgets to do SMTP "STARTTLS", so this fails because
              > "220 hostname" is not an SSL server HELO.

              Fix reported in 2008, not yet applied:

              https://rt.openssl.org/Ticket/Display.html?id=1766&user=guest&pass=guest

              I've posted a further simplified patch to openssl-users, perhaps it will
              be adopted this time (in the next iteration of 1.0.1, ...).

              --
              Viktor.
            • Stefan Jakobs
              ... $ posttls-finger -p -lmay -Lsummary,cache,debug -r 1 [aa.bb.cc.dd] posttls-finger: initializing the client-side TLS engine posttls-finger: Connected
              Message 6 of 10 , Jul 11, 2013
              • 0 Attachment
                Viktor Dukhovni wrote:
                > On Thu, Jul 11, 2013 at 01:47:09PM +0200, Stefan Jakobs wrote:
                > > $ openssl s_client -no_ssl2 -reconnect -starttls smtp -state -cipher \
                > >
                > > "ALL:+RC4:@STRENGTH" -connect server.example.com:25
                > >
                > > 250 DSN
                > > drop connection and then reconnect
                > > SSL3 alert write:warning:close notify
                > > CONNECTED(00000003)
                > > SSL_connect:before/connect initialization
                > > SSL_connect:SSLv3 write client hello A
                > > SSL3 alert write:fatal:protocol version
                > > SSL_connect:error in SSLv3 read server hello A
                > > 13820:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
                >
                > > number:s3_pkt.c:281:
                > Unfortunately, the "reconnect" code in s_client (at least with
                > 0.9.8j) forgets to do SMTP "STARTTLS", so this fails because
                > "220 hostname" is not an SSL server HELO.
                >
                > A better diagnostic utility is available with the latest Postfix
                > 2.11 snapshot. You don't need to install it (no need to upgrade
                > to Postfix 2.11), just compile postfix-2.11-20130710 with TLS
                > support and run:
                >
                > ./bin/posttls-finger -p "" -lmay -Lsummary,cache,debug -r 1 \
                > "[server.example.com]"
                >
                > This will report more useful results.

                $ posttls-finger -p "" -lmay -Lsummary,cache,debug -r 1 "[aa.bb.cc.dd]"
                posttls-finger: initializing the client-side TLS engine
                posttls-finger: Connected to aa.bb.cc.dd[aa.bb.cc.dd]:25
                posttls-finger: < 220 server.example.com ESMTP Postfix (Ubuntu)
                posttls-finger: > EHLO client.example.com
                posttls-finger: < 250-server.example.com
                posttls-finger: < 250-PIPELINING
                posttls-finger: < 250-SIZE 10240000
                posttls-finger: < 250-VRFY
                posttls-finger: < 250-ETRN
                posttls-finger: < 250-STARTTLS
                posttls-finger: < 250-ENHANCEDSTATUSCODES
                posttls-finger: < 250-8BITMIME
                posttls-finger: < 250 DSN
                posttls-finger: > STARTTLS
                posttls-finger: < 220 2.0.0 Ready to start TLS
                posttls-finger: setting up TLS connection to aa.bb.cc.dd[aa.bb.cc.dd]:25
                posttls-finger: aa.bb.cc.dd[aa.bb.cc.dd]:25: TLS cipher list
                "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!eNULL"
                posttls-finger: looking for session
                [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
                in memory cache
                posttls-finger: SSL_connect:before/connect initialization
                posttls-finger: SSL_connect:SSLv2/v3 write client hello A
                posttls-finger: SSL_connect:SSLv3 read server hello A
                posttls-finger: SSL_connect:SSLv3 read server key exchange A
                posttls-finger: SSL_connect:SSLv3 read server done A
                posttls-finger: SSL_connect:SSLv3 write client key exchange A
                posttls-finger: SSL_connect:SSLv3 write change cipher spec A
                posttls-finger: SSL_connect:SSLv3 write finished A
                posttls-finger: SSL_connect:SSLv3 flush data
                posttls-finger: SSL_connect:SSLv3 read finished A
                posttls-finger: save session
                [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
                to memory cache
                posttls-finger: Untrusted TLS connection established to
                aa.bb.cc.dd[aa.bb.cc.dd]:25: TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256
                bits)
                posttls-finger: > EHLO client.example.com
                posttls-finger: < 250-server.example.com
                posttls-finger: < 250-PIPELINING
                posttls-finger: < 250-SIZE 10240000
                posttls-finger: < 250-VRFY
                posttls-finger: < 250-ETRN
                posttls-finger: < 250-ENHANCEDSTATUSCODES
                posttls-finger: < 250-8BITMIME
                posttls-finger: < 250 DSN
                posttls-finger: Server is anonymous
                posttls-finger: > QUIT
                posttls-finger: < 221 2.0.0 Bye
                posttls-finger: Reconnecting after 1 seconds
                posttls-finger: < 220 server.example.com ESMTP Postfix (Ubuntu)
                posttls-finger: looking for session
                [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
                in memory cache
                posttls-finger: reloaded session
                [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
                from memory cache
                posttls-finger: SSL_connect:before/connect initialization
                posttls-finger: SSL_connect:SSLv3 write client hello A
                posttls-finger: SSL_connect:SSLv3 read server hello A
                posttls-finger: SSL3 alert write:fatal:unexpected_message
                posttls-finger: SSL_connect:error in SSLv3 read finished A
                posttls-finger: SSL_connect error to aa.bb.cc.dd[aa.bb.cc.dd]:25: -1
                posttls-finger: warning: TLS library problem: 18630:error:1408E0F4:SSL
                routines:SSL3_GET_MESSAGE:unexpected message:s3_both.c:463:
                posttls-finger: remove session
                [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
                from client cache

                [...]

                > The simplest work-around for the problem is to disable TLSv1 on
                > your 0.9.8j machine, since it seems to not handle the session
                > ticket extension correctly. This is not a long-term fix, you
                > really should upgrade to 0.9.8y or later, which likely does not
                > have this problem.
                >
                > main.cf:
                > # Disable SSLv2 and TLSv1, the latter until session ticket
                > # support works in the local SSL library.
                > #
                > smtp_tls_protocols = !SSLv2, !TLSv1
                > smtp_tls_mandatory_protocols = !SSLv2, !TLSv1

                I would assume that I can test it with s_client:

                $ openssl s_client -no_ssl2 -no_tls1 -starttls smtp -state \
                -cipher "ALL:+RC4:@STRENGTH" -connect server.example.com:25
                CONNECTED(00000003)
                SSL_connect:before/connect initialization
                SSL_connect:SSLv2/v3 write client hello A
                SSL_connect:SSLv3 read server hello A
                SSL_connect:SSLv3 read server key exchange A
                SSL_connect:SSLv3 read server done A
                SSL_connect:SSLv3 write client key exchange A
                SSL_connect:SSLv3 write change cipher spec A
                SSL_connect:SSLv3 write finished A
                SSL_connect:SSLv3 flush data
                SSL_connect:SSLv3 read finished A
                ---
                no peer certificate available
                ---
                No client certificate CA names sent
                ---
                SSL handshake has read 678 bytes and written 367 bytes
                ---
                New, TLSv1/SSLv3, Cipher is ADH-CAMELLIA256-SHA
                Secure Renegotiation IS supported
                Compression: NONE
                Expansion: NONE
                SSL-Session:
                Protocol : SSLv3
                Cipher : ADH-CAMELLIA256-SHA
                Session-ID:
                5571064B85701985126070CC097D5A60F6FBBD734A6F8F26615201AE0C814E1B
                Session-ID-ctx:
                Master-Key:
                11CFEC1AD95BF4EA508C89E42147C9292F29F9E3630654818B99FADD349A6C9D64419A6802A09345A4008FA0F0180372
                Key-Arg : None
                Start Time: 1373554327
                Timeout : 300 (sec)
                Verify return code: 0 (ok)
                ---
                250 DSN
                quit
                221 2.0.0 Bye
                SSL3 alert read:warning:close notify
                closed
                SSL3 alert write:warning:close notify

                $ openssl s_client -no_ssl2 -no_tls1 -reconnect -starttls smtp -state \
                -cipher "ALL:+RC4:@STRENGTH" -connect server.example.com:25
                CONNECTED(00000003)
                SSL_connect:before/connect initialization
                SSL_connect:SSLv2/v3 write client hello A
                SSL_connect:SSLv3 read server hello A
                SSL_connect:SSLv3 read server key exchange A
                SSL_connect:SSLv3 read server done A
                SSL_connect:SSLv3 write client key exchange A
                SSL_connect:SSLv3 write change cipher spec A
                SSL_connect:SSLv3 write finished A
                SSL_connect:SSLv3 flush data
                SSL_connect:SSLv3 read finished A
                ---
                no peer certificate available
                ---
                No client certificate CA names sent
                ---
                SSL handshake has read 678 bytes and written 367 bytes
                ---
                New, TLSv1/SSLv3, Cipher is ADH-CAMELLIA256-SHA
                Secure Renegotiation IS supported
                Compression: NONE
                Expansion: NONE
                SSL-Session:
                Protocol : SSLv3
                Cipher : ADH-CAMELLIA256-SHA
                Session-ID:
                5D7EA9F0C04B877E3AAFBEB75A12DAF4012693344BBBB5624DD3C1DC3836C34C
                Session-ID-ctx:
                Master-Key:
                E6CF20A96E3C6C9800825897A09B06F37F03B06454A6BF8ADEE3935BE9FA0B1B2085EA919D07AFB167588FF042D70810
                Key-Arg : None
                Start Time: 1373554331
                Timeout : 300 (sec)
                Verify return code: 0 (ok)
                ---
                250 DSN
                drop connection and then reconnect
                SSL3 alert write:warning:close notify
                CONNECTED(00000003)
                SSL_connect:before/connect initialization
                SSL_connect:SSLv3 write client hello A
                SSL3 alert write:fatal:handshake failure
                SSL_connect:error in SSLv3 read server hello A
                21731:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
                number:s3_pkt.c:281:


                But, there's still the error.

                Best regards
                Stefan
              • Viktor Dukhovni
                ... This tells the whole story, the client does not expect to see a session ticket with a resumed session, it expectts finished instead. It is I believe
                Message 7 of 10 , Jul 11, 2013
                • 0 Attachment
                  On Thu, Jul 11, 2013 at 04:55:00PM +0200, Stefan Jakobs wrote:

                  > > > SSL_connect:error in SSLv3 read server hello A
                  > > > 13820:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
                  > >
                  > > > number:s3_pkt.c:281:
                  > >
                  > > Unfortunately, the "reconnect" code in s_client (at least with
                  > > 0.9.8j) forgets to do SMTP "STARTTLS", so this fails because
                  > > "220 hostname" is not an SSL server HELO.
                  > >
                  > > A better diagnostic utility is available with the latest Postfix
                  > > 2.11 snapshot. You don't need to install it (no need to upgrade
                  > > to Postfix 2.11), just compile postfix-2.11-20130710 with TLS
                  > > support and run:
                  > >
                  > > ./bin/posttls-finger -p "" -lmay -Lsummary,cache,debug -r 1 \
                  > > "[server.example.com]"
                  > >
                  > > This will report more useful results.
                  >
                  > $ posttls-finger -p "" -lmay -Lsummary,cache,debug -r 1 "[aa.bb.cc.dd]"
                  > posttls-finger: initializing the client-side TLS engine
                  > posttls-finger: Connected to aa.bb.cc.dd[aa.bb.cc.dd]:25
                  > posttls-finger: < 220 server.example.com ESMTP Postfix (Ubuntu)
                  > posttls-finger: > STARTTLS
                  > posttls-finger: < 220 2.0.0 Ready to start TLS
                  > posttls-finger: setting up TLS connection to aa.bb.cc.dd[aa.bb.cc.dd]:25
                  > posttls-finger: aa.bb.cc.dd[aa.bb.cc.dd]:25: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!eNULL"
                  > posttls-finger: SSL_connect:before/connect initialization
                  > posttls-finger: SSL_connect:SSLv2/v3 write client hello A
                  > posttls-finger: SSL_connect:SSLv3 read server hello A
                  > posttls-finger: SSL_connect:SSLv3 read server key exchange A
                  > posttls-finger: SSL_connect:SSLv3 read server done A
                  > posttls-finger: SSL_connect:SSLv3 write client key exchange A
                  > posttls-finger: SSL_connect:SSLv3 write change cipher spec A
                  > posttls-finger: SSL_connect:SSLv3 write finished A
                  > posttls-finger: SSL_connect:SSLv3 flush data
                  > posttls-finger: SSL_connect:SSLv3 read finished A
                  > posttls-finger: save session [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3 to memory cache
                  > posttls-finger: Untrusted TLS connection established to
                  > aa.bb.cc.dd[aa.bb.cc.dd]:25: TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)
                  > posttls-finger: Reconnecting after 1 seconds
                  > posttls-finger: < 220 server.example.com ESMTP Postfix (Ubuntu)
                  > posttls-finger: looking for session [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3 in memory cache
                  > posttls-finger: reloaded session [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3 from memory cache
                  > posttls-finger: SSL_connect:before/connect initialization
                  > posttls-finger: SSL_connect:SSLv3 write client hello A
                  > posttls-finger: SSL_connect:SSLv3 read server hello A
                  > posttls-finger: SSL3 alert write:fatal:unexpected_message
                  > posttls-finger: SSL_connect:error in SSLv3 read finished A
                  > posttls-finger: SSL_connect error to aa.bb.cc.dd[aa.bb.cc.dd]:25: -1
                  > posttls-finger: warning: TLS library problem: 18630:error:1408E0F4:SSL
                  > routines:SSL3_GET_MESSAGE:unexpected message:s3_both.c:463:
                  > posttls-finger: remove session [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3 from client cache

                  This tells the whole story, the client does not expect to see a
                  session ticket with a resumed session, it expectts "finished"
                  instead. It is I believe valid for a server to return a session
                  ticket even with a resumed session.

                  So 0.9.8j does not implement session tickets correctly. With Postfix
                  2.11 you can add:

                  tls_ssl_options = NO_TICKET

                  to main.cf to work-around this specific problem, without disabling
                  TLSv1, but I would upgrade to the latest OpenSSL release instead.
                  Install an updated OpenSSL library from SuSE.

                  > > The simplest work-around for the problem is to disable TLSv1 on
                  > > your 0.9.8j machine, since it seems to not handle the session
                  > > ticket extension correctly. This is not a long-term fix, you
                  > > really should upgrade to 0.9.8y or later, which likely does not
                  > > have this problem.
                  > >
                  > > main.cf:
                  > > # Disable SSLv2 and TLSv1, the latter until session ticket
                  > > # support works in the local SSL library.
                  > > #
                  > > smtp_tls_protocols = !SSLv2, !TLSv1
                  > > smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
                  >
                  > I would assume that I can test it with s_client:

                  I will repeat myself (text you quoted in your reply):

                  > > Unfortunately, the "reconnect" code in s_client (at least with
                  > > 0.9.8j) forgets to do SMTP "STARTTLS", so this fails because
                  > > "220 hostname" is not an SSL server HELO.

                  Therefore, no, you can't test this with an unpatched s_client(1).

                  > drop connection and then reconnect

                  Because reconnect is broken with starttls.

                  > SSL3 alert write:warning:close notify
                  > CONNECTED(00000003)
                  > SSL_connect:before/connect initialization
                  > SSL_connect:SSLv3 write client hello A
                  > SSL3 alert write:fatal:handshake failure
                  > SSL_connect:error in SSLv3 read server hello A
                  > 21731:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
                  > number:s3_pkt.c:281:
                  >
                  > But, there's still the error.

                  As expected.

                  --
                  Viktor.
                Your message has been successfully submitted and would be delivered to recipients shortly.