Re: Strange STARTTLS issue

Thu, 12 Sep 2013 14:45:04 -0700 

On Thu, Sep 12, 2013, John Hynes wrote:

> openssl s_client -starttls smtp -connect mail.dean.edu:25
> 
> ...from any of my OpenBSD 5.3 hosts, I get the same response:

> CONNECTED(00000003)
> 12556912661392:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:/usr/src/lib/libssl/ssl/../src/ssl/s23_lib.c:177:

Add -no_tls1_2 to your call.

If that works, add some options to sendmail to make SSL_OP_NO_TLSv1_2
available:

diff -ru sendmail-8.14.7/sendmail/readcf.c sendmail-8.14.7-new/sendmail/readcf.c
--- sendmail-8.14.7/sendmail/readcf.c   2013-03-15 17:54:12.000000000 +0000
+++ sendmail-8.14.7-new/sendmail/readcf.c       2013-06-24 14:26:01.000000000 
+0100
@@ -2303,13 +2303,16 @@
        long            sslopt_bits;    /* bits to set/clear */
 } SSL_Option[] =
 {
-/* these are turned on by default */
+/* Bugs (and some others) are turned on by default */
 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
        { "SSL_OP_MICROSOFT_SESS_ID_BUG",       SSL_OP_MICROSOFT_SESS_ID_BUG    
},
 #endif
 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
        { "SSL_OP_NETSCAPE_CHALLENGE_BUG",      SSL_OP_NETSCAPE_CHALLENGE_BUG   
},
 #endif
+#ifdef SSL_OP_LEGACY_SERVER_CONNECT 
+       { "SSL_OP_LEGACY_SERVER_CONNECT",       SSL_OP_LEGACY_SERVER_CONNECT    
},
+#endif
 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
        { "SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG",    
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
 #endif
@@ -2346,9 +2349,18 @@
 #ifdef SSL_OP_NO_TICKET
        { "SSL_OP_NO_TICKET",   SSL_OP_NO_TICKET        },
 #endif
+#ifdef SSL_OP_CISCO_ANYCONNECT
+       { "SSL_OP_CISCO_ANYCONNECT",    SSL_OP_CISCO_ANYCONNECT },
+#endif
 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
        { "SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION",      
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION   },
 #endif
+#ifdef SSL_OP_NO_COMPRESSION
+       { "SSL_OP_NO_COMPRESSION",      SSL_OP_NO_COMPRESSION   },
+#endif
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+       { "SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION",   
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION        },
+#endif
 #ifdef SSL_OP_SINGLE_ECDH_USE
        { "SSL_OP_SINGLE_ECDH_USE",     SSL_OP_SINGLE_ECDH_USE  },
 #endif
@@ -2373,6 +2385,12 @@
 #ifdef SSL_OP_NO_TLSv1
        { "SSL_OP_NO_TLSv1",    SSL_OP_NO_TLSv1 },
 #endif
+#ifdef SSL_OP_NO_TLSv1_2
+       { "SSL_OP_NO_TLSv1_2",  SSL_OP_NO_TLSv1_2       },
+#endif
+#ifdef SSL_OP_NO_TLSv1_1
+       { "SSL_OP_NO_TLSv1_1",  SSL_OP_NO_TLSv1_1       },
+#endif
 #ifdef SSL_OP_PKCS1_CHECK_1
        { "SSL_OP_PKCS1_CHECK_1",       SSL_OP_PKCS1_CHECK_1    },
 #endif
@@ -2385,6 +2403,9 @@
 #ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
        { "SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG",     
SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG  },
 #endif
+#ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
+       { "SSL_OP_CRYPTOPRO_TLSEXT_BUG",        SSL_OP_CRYPTOPRO_TLSEXT_BUG     
},
+#endif
        { NULL,         0               }
 };
 #endif /* STARTTLS && _FFR_TLS_1 */

Reply via email to