On Sat, 2014-05-03 at 21:48 -0400, Sam Varshavchik wrote: > This is an interoperability issue between OpenSSL and whatever SSL software > is running on that server. > > OpenSSL's built-in client is barfing. > > $ openssl s_client -connect mx.nv.net:25 -starttls smtp > CONNECTED(00000003) > 139689135974272:error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 > alert unexpected message:s23_clnt.c:741: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 338 bytes and written 284 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > --- > > You can try openssl s_client with your own server, to see how a successful > connection looks like. > > This may be sufficient information to put pressure on nv.net to take the > ball in their court. We're now talking about the current version of the most > widely used SSL library failing to talk to their server.
However, from the server here on which I have an accountrunning OpenSSL 0.9.8e-fips-rhel5: $ openssl s_client -connect mx.nv.net:25 -starttls smtp CONNECTED(00000003) depth=0 /CN=mail.nv.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=mail.nv.net verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=mail.nv.net verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=mail.nv.net i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root --- Server certificate -----BEGIN CERTIFICATE----- MIIErjCCApagAwIBAgIDAQYwMA0GCSqGSIb3DQEBBQUAMFQxFDASBgNVBAoTC0NB Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTIwOTA2MjI1ODA3WhcNMTQwOTA2 MjI1ODA3WjAWMRQwEgYDVQQDEwttYWlsLm52Lm5ldDCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAM405BMrdt/hgCyEdhJ6qdOIZTW6DXAa5W1mbq/MYWDh T45Maql+WradPOTcYRNx7gpTGg0QJeL9iZER9vKxNheVfuG+LgzzkTvyQMgeZX/Q hlyiO7QSqiNl3I4vloaxn/3/FWjK+pC3UfoQCg9Gc7wybBwsqpR/JFF+QQL109Mq m0DFzy0wSWLMSHFYwFq1wt5GuIWWaS3azkmG+TpDNqV5Vkgg7YfKD/px7qZ1cMCH QvfR2KrAREmPIqo7IUmoZGMha3LIt8oVhXbAKnCLpVD05c/cq5+rbLMxobNU1i55 LyCBtmNzQliKGV63e+9hp3lmsp0ILcbCBU+uc6vIQI0CAwEAAaOBxjCBwzAMBgNV HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIDqDA0BgNVHSUELTArBggrBgEFBQcDAgYI KwYBBQUHAwEGCWCGSAGG+EIEAQYKKwYBBAGCNwoDAzAzBggrBgEFBQcBAQQnMCUw IwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmNhY2VydC5vcmcvMDgGA1UdHwQxMC8w LaAroCmGJ2h0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9jbGFzczMtcmV2b2tlLmNybDAN BgkqhkiG9w0BAQUFAAOCAgEApxKQAJjImXSqUq46pYVvTYR6T3LXU7CPDFHp/m01 izeK1suAu3vFYj1WFYrQxv6pYaTMHWr9Qwoocj5peywzmmCFpavvrWv09UsY+aiJ 81GZFiuqYAekp7Z60T5fUeCN2GRSUAffj1GBSLEcxX4Bb3zdrogNB3/nfcestS8U wo4aOD8rtXyDFhWs9DMnJkwQL/JvBM0T2MQDuBlN3n87zeR4awfndt9nQ6OYVRwO jAF20E6lq5is5nrdu32Ukqcbg9y7ym79TearyMOLGef/O/4XO7nWlF8uQS4VPBye 7RaAKJTe38/JkeQ5xxfXsUMHcusV+pqZrUtHn7D06sen5yAoyyU2q8yFJ2AI1n5q yHShRDAUWvPMzZgcThBprY8KEiE5ck+MpgJjDX6WwvCUXHmehob8avRCsA65HT3G BUprhJqxQBBVo7JEdhiF5oqtcCk5afIA3w8PwS6KEfNOtXQsbraIOsolaTAdRWp/ Tr2zwjzp3MEnfPcJtPnrMC7zV/C7FaWWGBD4LNNhGJO51M9aA5Vj67wYoCzMnvYi eq3v4h32vffKnF4s6J3HQhbV6wSSc9c/iBkamH06uwlasqhPjCiOY1IWxYZ8yZxh dBEu5SYdNTwlDIripJ3JOwwnvHDIwBPUYWUSOOVlf+qqc4zy8QOfdbXAmB58ESMJ 1Co= -----END CERTIFICATE----- subject=/CN=mail.nv.net issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root --- No client certificate CA names sent --- SSL handshake has read 1687 bytes and written 474 bytes --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DES-CBC3-SHA Session-ID: 0000A8A35365BC1D7A51F1328AB3A73873CBA6358E2F4A7208A3F72E968CDDB7 Session-ID-ctx: Master-Key: 40C19B84E71FEE19BBC4975BD7ADD06DBDAC04D72ED73B5DBCB7AD3A3EC6DB9031D4C1F5CFE0D2C4260683E41E713FAE Key-Arg : None Krb5 Principal: None Start Time: 1399176256 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- 250 EHLO Would the verify errors be playing into this problem? This is beyond being a courier issue, so it's probably not appropriate for this list, but it is a mail issue and rather a puzzle. Thanks for your insights. My guess is that patches to OpenSSL which have come into play to address the Heartbleed bug may be contributing to this. -- Lindsay Haisley | "UNIX is user-friendly, it just FMP Computer Services | chooses its friends." 512-259-1190 | -- Andreas Bogk http://www.fmp.com | ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
