Loading ...
Sorry, an error occurred while loading the content.

Re: SSL3_GET_MESSAGE:unexpected message

Expand Messages
  • Viktor Dukhovni
    ... Fix reported in 2008, not yet applied: https://rt.openssl.org/Ticket/Display.html?id=1766&user=guest&pass=guest I ve posted a further simplified patch to
    Message 1 of 10 , Jul 11, 2013
    • 0 Attachment
      On Thu, Jul 11, 2013 at 01:48:01PM +0000, Viktor Dukhovni wrote:

      > Unfortunately, the "reconnect" code in s_client (at least with
      > 0.9.8j) forgets to do SMTP "STARTTLS", so this fails because
      > "220 hostname" is not an SSL server HELO.

      Fix reported in 2008, not yet applied:

      https://rt.openssl.org/Ticket/Display.html?id=1766&user=guest&pass=guest

      I've posted a further simplified patch to openssl-users, perhaps it will
      be adopted this time (in the next iteration of 1.0.1, ...).

      --
      Viktor.
    • Stefan Jakobs
      ... $ posttls-finger -p -lmay -Lsummary,cache,debug -r 1 [aa.bb.cc.dd] posttls-finger: initializing the client-side TLS engine posttls-finger: Connected
      Message 2 of 10 , Jul 11, 2013
      • 0 Attachment
        Viktor Dukhovni wrote:
        > On Thu, Jul 11, 2013 at 01:47:09PM +0200, Stefan Jakobs wrote:
        > > $ openssl s_client -no_ssl2 -reconnect -starttls smtp -state -cipher \
        > >
        > > "ALL:+RC4:@STRENGTH" -connect server.example.com:25
        > >
        > > 250 DSN
        > > drop connection and then reconnect
        > > SSL3 alert write:warning:close notify
        > > CONNECTED(00000003)
        > > SSL_connect:before/connect initialization
        > > SSL_connect:SSLv3 write client hello A
        > > SSL3 alert write:fatal:protocol version
        > > SSL_connect:error in SSLv3 read server hello A
        > > 13820:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
        >
        > > number:s3_pkt.c:281:
        > Unfortunately, the "reconnect" code in s_client (at least with
        > 0.9.8j) forgets to do SMTP "STARTTLS", so this fails because
        > "220 hostname" is not an SSL server HELO.
        >
        > A better diagnostic utility is available with the latest Postfix
        > 2.11 snapshot. You don't need to install it (no need to upgrade
        > to Postfix 2.11), just compile postfix-2.11-20130710 with TLS
        > support and run:
        >
        > ./bin/posttls-finger -p "" -lmay -Lsummary,cache,debug -r 1 \
        > "[server.example.com]"
        >
        > This will report more useful results.

        $ posttls-finger -p "" -lmay -Lsummary,cache,debug -r 1 "[aa.bb.cc.dd]"
        posttls-finger: initializing the client-side TLS engine
        posttls-finger: Connected to aa.bb.cc.dd[aa.bb.cc.dd]:25
        posttls-finger: < 220 server.example.com ESMTP Postfix (Ubuntu)
        posttls-finger: > EHLO client.example.com
        posttls-finger: < 250-server.example.com
        posttls-finger: < 250-PIPELINING
        posttls-finger: < 250-SIZE 10240000
        posttls-finger: < 250-VRFY
        posttls-finger: < 250-ETRN
        posttls-finger: < 250-STARTTLS
        posttls-finger: < 250-ENHANCEDSTATUSCODES
        posttls-finger: < 250-8BITMIME
        posttls-finger: < 250 DSN
        posttls-finger: > STARTTLS
        posttls-finger: < 220 2.0.0 Ready to start TLS
        posttls-finger: setting up TLS connection to aa.bb.cc.dd[aa.bb.cc.dd]:25
        posttls-finger: aa.bb.cc.dd[aa.bb.cc.dd]:25: TLS cipher list
        "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!eNULL"
        posttls-finger: looking for session
        [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
        in memory cache
        posttls-finger: SSL_connect:before/connect initialization
        posttls-finger: SSL_connect:SSLv2/v3 write client hello A
        posttls-finger: SSL_connect:SSLv3 read server hello A
        posttls-finger: SSL_connect:SSLv3 read server key exchange A
        posttls-finger: SSL_connect:SSLv3 read server done A
        posttls-finger: SSL_connect:SSLv3 write client key exchange A
        posttls-finger: SSL_connect:SSLv3 write change cipher spec A
        posttls-finger: SSL_connect:SSLv3 write finished A
        posttls-finger: SSL_connect:SSLv3 flush data
        posttls-finger: SSL_connect:SSLv3 read finished A
        posttls-finger: save session
        [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
        to memory cache
        posttls-finger: Untrusted TLS connection established to
        aa.bb.cc.dd[aa.bb.cc.dd]:25: TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256
        bits)
        posttls-finger: > EHLO client.example.com
        posttls-finger: < 250-server.example.com
        posttls-finger: < 250-PIPELINING
        posttls-finger: < 250-SIZE 10240000
        posttls-finger: < 250-VRFY
        posttls-finger: < 250-ETRN
        posttls-finger: < 250-ENHANCEDSTATUSCODES
        posttls-finger: < 250-8BITMIME
        posttls-finger: < 250 DSN
        posttls-finger: Server is anonymous
        posttls-finger: > QUIT
        posttls-finger: < 221 2.0.0 Bye
        posttls-finger: Reconnecting after 1 seconds
        posttls-finger: < 220 server.example.com ESMTP Postfix (Ubuntu)
        posttls-finger: looking for session
        [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
        in memory cache
        posttls-finger: reloaded session
        [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
        from memory cache
        posttls-finger: SSL_connect:before/connect initialization
        posttls-finger: SSL_connect:SSLv3 write client hello A
        posttls-finger: SSL_connect:SSLv3 read server hello A
        posttls-finger: SSL3 alert write:fatal:unexpected_message
        posttls-finger: SSL_connect:error in SSLv3 read finished A
        posttls-finger: SSL_connect error to aa.bb.cc.dd[aa.bb.cc.dd]:25: -1
        posttls-finger: warning: TLS library problem: 18630:error:1408E0F4:SSL
        routines:SSL3_GET_MESSAGE:unexpected message:s3_both.c:463:
        posttls-finger: remove session
        [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3
        from client cache

        [...]

        > The simplest work-around for the problem is to disable TLSv1 on
        > your 0.9.8j machine, since it seems to not handle the session
        > ticket extension correctly. This is not a long-term fix, you
        > really should upgrade to 0.9.8y or later, which likely does not
        > have this problem.
        >
        > main.cf:
        > # Disable SSLv2 and TLSv1, the latter until session ticket
        > # support works in the local SSL library.
        > #
        > smtp_tls_protocols = !SSLv2, !TLSv1
        > smtp_tls_mandatory_protocols = !SSLv2, !TLSv1

        I would assume that I can test it with s_client:

        $ openssl s_client -no_ssl2 -no_tls1 -starttls smtp -state \
        -cipher "ALL:+RC4:@STRENGTH" -connect server.example.com:25
        CONNECTED(00000003)
        SSL_connect:before/connect initialization
        SSL_connect:SSLv2/v3 write client hello A
        SSL_connect:SSLv3 read server hello A
        SSL_connect:SSLv3 read server key exchange A
        SSL_connect:SSLv3 read server done A
        SSL_connect:SSLv3 write client key exchange A
        SSL_connect:SSLv3 write change cipher spec A
        SSL_connect:SSLv3 write finished A
        SSL_connect:SSLv3 flush data
        SSL_connect:SSLv3 read finished A
        ---
        no peer certificate available
        ---
        No client certificate CA names sent
        ---
        SSL handshake has read 678 bytes and written 367 bytes
        ---
        New, TLSv1/SSLv3, Cipher is ADH-CAMELLIA256-SHA
        Secure Renegotiation IS supported
        Compression: NONE
        Expansion: NONE
        SSL-Session:
        Protocol : SSLv3
        Cipher : ADH-CAMELLIA256-SHA
        Session-ID:
        5571064B85701985126070CC097D5A60F6FBBD734A6F8F26615201AE0C814E1B
        Session-ID-ctx:
        Master-Key:
        11CFEC1AD95BF4EA508C89E42147C9292F29F9E3630654818B99FADD349A6C9D64419A6802A09345A4008FA0F0180372
        Key-Arg : None
        Start Time: 1373554327
        Timeout : 300 (sec)
        Verify return code: 0 (ok)
        ---
        250 DSN
        quit
        221 2.0.0 Bye
        SSL3 alert read:warning:close notify
        closed
        SSL3 alert write:warning:close notify

        $ openssl s_client -no_ssl2 -no_tls1 -reconnect -starttls smtp -state \
        -cipher "ALL:+RC4:@STRENGTH" -connect server.example.com:25
        CONNECTED(00000003)
        SSL_connect:before/connect initialization
        SSL_connect:SSLv2/v3 write client hello A
        SSL_connect:SSLv3 read server hello A
        SSL_connect:SSLv3 read server key exchange A
        SSL_connect:SSLv3 read server done A
        SSL_connect:SSLv3 write client key exchange A
        SSL_connect:SSLv3 write change cipher spec A
        SSL_connect:SSLv3 write finished A
        SSL_connect:SSLv3 flush data
        SSL_connect:SSLv3 read finished A
        ---
        no peer certificate available
        ---
        No client certificate CA names sent
        ---
        SSL handshake has read 678 bytes and written 367 bytes
        ---
        New, TLSv1/SSLv3, Cipher is ADH-CAMELLIA256-SHA
        Secure Renegotiation IS supported
        Compression: NONE
        Expansion: NONE
        SSL-Session:
        Protocol : SSLv3
        Cipher : ADH-CAMELLIA256-SHA
        Session-ID:
        5D7EA9F0C04B877E3AAFBEB75A12DAF4012693344BBBB5624DD3C1DC3836C34C
        Session-ID-ctx:
        Master-Key:
        E6CF20A96E3C6C9800825897A09B06F37F03B06454A6BF8ADEE3935BE9FA0B1B2085EA919D07AFB167588FF042D70810
        Key-Arg : None
        Start Time: 1373554331
        Timeout : 300 (sec)
        Verify return code: 0 (ok)
        ---
        250 DSN
        drop connection and then reconnect
        SSL3 alert write:warning:close notify
        CONNECTED(00000003)
        SSL_connect:before/connect initialization
        SSL_connect:SSLv3 write client hello A
        SSL3 alert write:fatal:handshake failure
        SSL_connect:error in SSLv3 read server hello A
        21731:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
        number:s3_pkt.c:281:


        But, there's still the error.

        Best regards
        Stefan
      • Viktor Dukhovni
        ... This tells the whole story, the client does not expect to see a session ticket with a resumed session, it expectts finished instead. It is I believe
        Message 3 of 10 , Jul 11, 2013
        • 0 Attachment
          On Thu, Jul 11, 2013 at 04:55:00PM +0200, Stefan Jakobs wrote:

          > > > SSL_connect:error in SSLv3 read server hello A
          > > > 13820:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
          > >
          > > > number:s3_pkt.c:281:
          > >
          > > Unfortunately, the "reconnect" code in s_client (at least with
          > > 0.9.8j) forgets to do SMTP "STARTTLS", so this fails because
          > > "220 hostname" is not an SSL server HELO.
          > >
          > > A better diagnostic utility is available with the latest Postfix
          > > 2.11 snapshot. You don't need to install it (no need to upgrade
          > > to Postfix 2.11), just compile postfix-2.11-20130710 with TLS
          > > support and run:
          > >
          > > ./bin/posttls-finger -p "" -lmay -Lsummary,cache,debug -r 1 \
          > > "[server.example.com]"
          > >
          > > This will report more useful results.
          >
          > $ posttls-finger -p "" -lmay -Lsummary,cache,debug -r 1 "[aa.bb.cc.dd]"
          > posttls-finger: initializing the client-side TLS engine
          > posttls-finger: Connected to aa.bb.cc.dd[aa.bb.cc.dd]:25
          > posttls-finger: < 220 server.example.com ESMTP Postfix (Ubuntu)
          > posttls-finger: > STARTTLS
          > posttls-finger: < 220 2.0.0 Ready to start TLS
          > posttls-finger: setting up TLS connection to aa.bb.cc.dd[aa.bb.cc.dd]:25
          > posttls-finger: aa.bb.cc.dd[aa.bb.cc.dd]:25: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!eNULL"
          > posttls-finger: SSL_connect:before/connect initialization
          > posttls-finger: SSL_connect:SSLv2/v3 write client hello A
          > posttls-finger: SSL_connect:SSLv3 read server hello A
          > posttls-finger: SSL_connect:SSLv3 read server key exchange A
          > posttls-finger: SSL_connect:SSLv3 read server done A
          > posttls-finger: SSL_connect:SSLv3 write client key exchange A
          > posttls-finger: SSL_connect:SSLv3 write change cipher spec A
          > posttls-finger: SSL_connect:SSLv3 write finished A
          > posttls-finger: SSL_connect:SSLv3 flush data
          > posttls-finger: SSL_connect:SSLv3 read finished A
          > posttls-finger: save session [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3 to memory cache
          > posttls-finger: Untrusted TLS connection established to
          > aa.bb.cc.dd[aa.bb.cc.dd]:25: TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)
          > posttls-finger: Reconnecting after 1 seconds
          > posttls-finger: < 220 server.example.com ESMTP Postfix (Ubuntu)
          > posttls-finger: looking for session [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3 in memory cache
          > posttls-finger: reloaded session [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3 from memory cache
          > posttls-finger: SSL_connect:before/connect initialization
          > posttls-finger: SSL_connect:SSLv3 write client hello A
          > posttls-finger: SSL_connect:SSLv3 read server hello A
          > posttls-finger: SSL3 alert write:fatal:unexpected_message
          > posttls-finger: SSL_connect:error in SSLv3 read finished A
          > posttls-finger: SSL_connect error to aa.bb.cc.dd[aa.bb.cc.dd]:25: -1
          > posttls-finger: warning: TLS library problem: 18630:error:1408E0F4:SSL
          > routines:SSL3_GET_MESSAGE:unexpected message:s3_both.c:463:
          > posttls-finger: remove session [aa.bb.cc.dd]:25&359DC42443D7E32ADDAA2AF86D3F2785D16016CAD85BB6B3103F285512451CF3 from client cache

          This tells the whole story, the client does not expect to see a
          session ticket with a resumed session, it expectts "finished"
          instead. It is I believe valid for a server to return a session
          ticket even with a resumed session.

          So 0.9.8j does not implement session tickets correctly. With Postfix
          2.11 you can add:

          tls_ssl_options = NO_TICKET

          to main.cf to work-around this specific problem, without disabling
          TLSv1, but I would upgrade to the latest OpenSSL release instead.
          Install an updated OpenSSL library from SuSE.

          > > The simplest work-around for the problem is to disable TLSv1 on
          > > your 0.9.8j machine, since it seems to not handle the session
          > > ticket extension correctly. This is not a long-term fix, you
          > > really should upgrade to 0.9.8y or later, which likely does not
          > > have this problem.
          > >
          > > main.cf:
          > > # Disable SSLv2 and TLSv1, the latter until session ticket
          > > # support works in the local SSL library.
          > > #
          > > smtp_tls_protocols = !SSLv2, !TLSv1
          > > smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
          >
          > I would assume that I can test it with s_client:

          I will repeat myself (text you quoted in your reply):

          > > Unfortunately, the "reconnect" code in s_client (at least with
          > > 0.9.8j) forgets to do SMTP "STARTTLS", so this fails because
          > > "220 hostname" is not an SSL server HELO.

          Therefore, no, you can't test this with an unpatched s_client(1).

          > drop connection and then reconnect

          Because reconnect is broken with starttls.

          > SSL3 alert write:warning:close notify
          > CONNECTED(00000003)
          > SSL_connect:before/connect initialization
          > SSL_connect:SSLv3 write client hello A
          > SSL3 alert write:fatal:handshake failure
          > SSL_connect:error in SSLv3 read server hello A
          > 21731:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
          > number:s3_pkt.c:281:
          >
          > But, there's still the error.

          As expected.

          --
          Viktor.
        Your message has been successfully submitted and would be delivered to recipients shortly.