Loading ...
Sorry, an error occurred while loading the content.

Re: SSL3_GET_MESSAGE:unexpected message (thanks)

Expand Messages
  • Stefan Jakobs
    ... [...] ... I don t think, that this it that easy. But I will see what I can do. [...] ... [...] ... Now I get it. Thank you Viktor for walking me through
    Message 1 of 4 , Jul 11, 2013
    • 0 Attachment
      Viktor Dukhovni wrote:
      > On Thu, Jul 11, 2013 at 04:55:00PM +0200, Stefan Jakobs wrote:
      [...]
      > So 0.9.8j does not implement session tickets correctly. With Postfix
      > 2.11 you can add:
      >
      > tls_ssl_options = NO_TICKET
      >
      > to main.cf to work-around this specific problem, without disabling
      > TLSv1, but I would upgrade to the latest OpenSSL release instead.
      > Install an updated OpenSSL library from SuSE.

      I don't think, that this it that easy. But I will see what I can do.

      [...]
      > > I would assume that I can test it with s_client:
      > I will repeat myself (text you quoted in your reply):
      [...]
      > > But, there's still the error.
      >
      > As expected.

      Now I get it. Thank you Viktor for walking me through this.

      Best regards
      Stefan
    • Viktor Dukhovni
      ... By latest, I mean latest patch level of 0.9.8, not a jump to 1.0.1e. If SuSE have not fixed this issue yet, refer to:
      Message 2 of 4 , Jul 11, 2013
      • 0 Attachment
        On Thu, Jul 11, 2013 at 05:18:09PM +0200, Stefan Jakobs wrote:

        > > So 0.9.8j does not implement session tickets correctly. With Postfix
        > > 2.11 you can add:
        > >
        > > tls_ssl_options = NO_TICKET
        > >
        > > to main.cf to work-around this specific problem, without disabling
        > > TLSv1, but I would upgrade to the latest OpenSSL release instead.
        > > Install an updated OpenSSL library from SuSE.
        >
        > I don't think, that this it that easy. But I will see what I can do.

        By latest, I mean latest patch level of 0.9.8, not a jump to 1.0.1e.

        If SuSE have not fixed this issue yet, refer to:

        https://rt.openssl.org/Ticket/Display.html?id=2888&user=guest&pass=guest#

        the fix for which is in 0.9.8y and request a bug-fix release.

        --
        Viktor.
      • Viktor Dukhovni
        ... Note that if you disable SSLv2 as recommended for a long time time now: smtp_tls_protocols = !SSLv2 smtp_tls_mandatory_protocols = !SSLv2 you may well
        Message 3 of 4 , Jul 11, 2013
        • 0 Attachment
          On Thu, Jul 11, 2013 at 05:18:09PM +0200, Stefan Jakobs wrote:

          > Now I get it. Thank you Viktor for walking me through this.

          Note that if you disable "SSLv2" as recommended for a long time
          time now:

          smtp_tls_protocols = !SSLv2
          smtp_tls_mandatory_protocols = !SSLv2

          you may well find that the problem goes away because the client
          will obtain a session ticket during the initial handshake, so the
          server won't offer a new ticket with session resumption.

          The reason you have a problem is that the server is offering a ticket
          for a resumed session, because no ticket was sent with the original
          session. And that is because the original session used an SSLv2
          client hello (to support SSLv2 which should no longer be used).

          Therefore, disable SSLv2 in the Postfix client, and you'll almost
          never see this issue. (You could run into it if a server decided
          to renew a ticket, but this is rather unlikely, almost certainly
          no SMTP servers have code for this).

          This assumes your Postfix client version is at least 2.6. If not,
          upgrade!

          --
          Viktor.
        • Viktor Dukhovni
          ... SSLv2 is disabled by default with Postfix 2.7, but you can override the default in 2.6 to achieve the same effect. With 2.5 and earlier there is no
          Message 4 of 4 , Jul 11, 2013
          • 0 Attachment
            On Thu, Jul 11, 2013 at 03:54:37PM +0000, Viktor Dukhovni wrote:

            > Therefore, disable SSLv2 in the Postfix client, and you'll almost
            > never see this issue. (You could run into it if a server decided
            > to renew a ticket, but this is rather unlikely, almost certainly
            > no SMTP servers have code for this).
            >
            > This assumes your Postfix client version is at least 2.6. If not,
            > upgrade!

            SSLv2 is disabled by default with Postfix 2.7, but you can override
            the default in 2.6 to achieve the same effect. With 2.5 and earlier
            there is no protocol filter for opportunistic TLS.

            --
            Viktor.
          Your message has been successfully submitted and would be delivered to recipients shortly.