Antoine, I'm CC-ing you because this might be a stable.mtier.org thing.
j...@sing.id.au (Joel Sing), 2015.03.31 (Tue) 14:51 (CEST):
> On Tuesday 31 March 2015, Marcus MERIGHI wrote:
> > frankenstein warning: stable.mtier.org, all patches applied
> >
> > the mail server in question doesn't deliver to a certain destination
> > ("Network error on destination MXs"). Other destinations work. When I
> > connect manually I can send messages via the destination server. But no
> > TLS involved this way. SMTP greeting of destination server:
> >
> > $ nc 216.55.105.124 25
> > 220 mobile-systems.at ESMTP Sendmail 8.14.5/8.13.4; Mon, 30 Mar 2015
> > 13:12:39 +0200 (CEST)
> >
> > log entries on originating server:
> >
> > Mar 30 13:11:18 frax smtpd[28031]: smtp-out: Connecting to
> > smtp+tls://216.55.105.124:25 (216.55.105.124.hera.net) on session
> > 23d6e647b646bf14...
> > Mar 30 13:11:18 frax smtpd[28031]: smtp-out: Connected on session
> > 23d6e647b646bf14
> > Mar 30 13:11:24 frax smtpd[28031]: smtp-out: Error on session
> > 23d6e647b646bf14: IO Error: error:1408D06E:SSL
> > routines:SSL3_GET_KEY_EXCHANGE:bad dh p length
> > Mar 30 13:11:24 frax smtpd[28031]: smtp-out: Disabling route [] <->
> > 216.55.105.124 (216.55.105.124.hera.net) for 800s
> > Mar 30 13:11:24 frax smtpd[28031]: smtp-out: No valid route for
> > [connector:[]->[relay:yyy.at,heloname=mail.xxx.at],0x0]
> > Mar 30 13:11:24 frax smtpd[28031]: smtp-out: No valid route for
> > [connector:[]->[relay:yyy.at,heloname=mail.xxx.at],0x0]
> >
> > I guess it's about the line:
> >
> > Error on session 23d6e647b646bf14: IO Error: error:1408D06E:SSL
> > routines:SSL3_GET_KEY_EXCHANGE:bad dh p length
> >
> > Any hints on what's going wrong here?
>
> Assuming you've patched, this is most likely due to the restrictions imposed
> on the minimum size of the DH parameters supplied in the ServerKeyExchange
> for TLS (r1.108 of src/lib/libssl/src/ssl/s3_clnt.c) - this means the remote
> end is probably using 512-bit DH params.
>
> That said, they seem to be offering 1024-bit DH currently:
>
> $ openssl s_client -connect 216.55.105.124:25 -starttls smtp
> ...
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> ..
>
> Is it now working?
Thanks for the command line, I used it for the following tests.
(``openssl s_client -connect 216.55.105.124:25 -starttls smtp'')
short: an old (5.4-current) and a new machine (5.7-beta) have no
problems connecting to the destination. Only the stable.mtier.org
machines seem to be affected. Please note the difference in
returning to the command line!
To me that appears to be a local or stable.mtier issue.
If anyone is willing to help: how to debug? how to mitigate?
long:
from four stable.mtier.org machines I get:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
New, (NONE), Cipher is (NONE)
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1427807325
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
[prompt returns by itself]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
from -current notebook I get:
(OpenBSD 5.7-beta (GENERIC.MP) #860: Sun Feb 22 03:14:54 MST 2015)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID:
Session-ID-ctx:
Master-Key:
B05F387521096F515070F50B4D31F2D16438A2BB59993B163BF13946CDEF0A18D66573EDE6D0AEC416E9469FE7FFDD64
Start Time: 1427807977
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
250 HELP
[prompt returns after ctrl+c]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
from an old machine (singing "I don't wanna talk about it"...)
OpenBSD 5.4-current (GENERIC.MP) #158: Thu Nov 21 23:14:15 MST 2013
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
E8D2B64A667A02A75F031D018A0C34A584195110C9DAAE1FE2CA4AD6A438E3E1
Session-ID-ctx:
Master-Key:
F129092220818271C31255D46BD6BFA4E3C9D7BE06589D2923DA1B97D597C959980341E9D2AE07DC376D10BB30F3ED62
Key-Arg : None
PSK identity: None
PSK identity hint: None
TLS session ticket:
[...]
Start Time: 1427808056
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
250 HELP
[prompt returns after ctrl+c]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Thanks for your responses!
Bye, Marcus
> > Any hints on how to solve or work around?
>
> From your side you could disable 'ALL:!DHE', lower the minimum from 1024 to
> 512 in s3_clnt.c or get the remote side to use better DH parameters (assuming
> they have not already changed it).
>
> > Thanks in advance, Marcus
> >
> > P.S.: is m...@opensmtpd.org dead? https://www.opensmtpd.org/list.html
> > does not say so, but upon sending to the list it I got a "not
> > subscribed" warning message to my subscription address (checked the
> > address with old subscribtion notification).
> >
> > OpenBSD 5.6 (GENERIC.MP) #5: Thu Dec 11 09:51:08 CET 2014
> >
> > r...@stable-56-amd64.mtier.org:/binpatchng/work-binpatch56-amd64/src/sys/ar
> >ch/amd64/compile/GENERIC.MP real mem = 4276822016 (4078MB)
> > avail mem = 4154187776 (3961MB)
> > mpath0 at root
> > scsibus0 at mpath0: 256 targets
> > mainbus0 at root
> > bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xcff9c000 (46 entries)
> > bios0: vendor Dell Inc. version "1.4.3" date 06/05/2009
> > bios0: Dell Inc. PowerEdge R200
> > acpi0 at bios0: rev 2
> > acpi0: sleep states S0 S4 S5
> > acpi0: tables DSDT FACP APIC SPCR HPET MCFG WDAT SLIC ERST HEST BERT EINJ
> > SSDT SSDT SSDT acpi0: wakeup devices PCI0(S5)
> > acpitimer0 at acpi0: 3579545 Hz, 24 bits
> > acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
> > cpu0 at mainbus0: apid 0 (boot processor)
> > cpu0: Intel(R) Core(TM)2 Duo CPU E7300 @ 2.66GHz, 1600.30 MHz
> > cpu0:
> > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFL
> >USH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2
> >,SSSE3,CX16,xTPR,PDCM,SSE4.1,NXE,LONG,LAHF,PERF cpu0: 3MB 64b/line 8-way L2
> > cache
> > cpu0: smt 0, core 0, package 0
> > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> > cpu0: apic clock running at 266MHz
> > cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
> > cpu1 at mainbus0: apid 1 (application processor)
> > cpu1: Intel(R) Core(TM)2 Duo CPU E7300 @ 2.66GHz, 1600.06 MHz
> > cpu1:
> > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFL
> >USH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2
> >,SSSE3,CX16,xTPR,PDCM,SSE4.1,NXE,LONG,LAHF,PERF cpu1: 3MB 64b/line 8-way L2
> > cache
> > cpu1: smt 0, core 1, package 0
> > ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 24 pins
> > ioapic0: misconfigured as apic 0, remapped to apid 2
> > ioapic1 at mainbus0: apid 3 pa 0xfec10000, version 20, 24 pins
> > ioapic1: misconfigured as apic 0, remapped to apid 3
> > acpihpet0 at acpi0: 14318179 Hz
> > acpimcfg0 at acpi0 addr 0xe0000000, bus 0-255
> > acpiprt0 at acpi0: bus 0 (PCI0)
> > acpiprt1 at acpi0: bus 1 (PEX1)
> > acpiprt2 at acpi0: bus 2 (SBE0)
> > acpiprt3 at acpi0: bus 3 (PXHA)
> > acpiprt4 at acpi0: bus 4 (SBE4)
> > acpiprt5 at acpi0: bus 5 (SBE5)
> > acpiprt6 at acpi0: bus 6 (COMP)
> > acpicpu0 at acpi0: PSS
> > acpicpu1 at acpi0: PSS
> > ipmi at mainbus0 not configured
> > cpu0: Enhanced SpeedStep 1600 MHz: speeds: 2667, 2400, 2133, 1867, 1600 MHz
> > pci0 at mainbus0 bus 0
> > pchb0 at pci0 dev 0 function 0 "Intel 3200/3210 Host" rev 0x01
> > ppb0 at pci0 dev 1 function 0 "Intel 3200/3210 PCIE" rev 0x01: msi
> > pci1 at ppb0 bus 1
> > mpi0 at pci1 dev 0 function 0 "Symbios Logic SAS1068E" rev 0x08: msi
> > mpi0: SAS6IR, firmware 0.25.47.0
> > scsibus1 at mpi0: 112 targets
> > sd0 at scsibus1 targ 0 lun 0: <Dell, VIRTUAL DISK, 1028> SCSI3 0/direct
> > fixed naa.600508e0000000006e54a90066b37109 sd0: 152064MB, 512 bytes/sector,
> > 311427072 sectors
> > ppb1 at pci0 dev 28 function 0 "Intel 82801I PCIE" rev 0x02
> > pci2 at ppb1 bus 2
> > ppb2 at pci2 dev 0 function 0 "Intel 6702PXH PCIE-PCIX" rev 0x09
> > pci3 at ppb2 bus 3
> > ppb3 at pci0 dev 28 function 4 "Intel 82801I PCIE" rev 0x02
> > pci4 at ppb3 bus 4
> > bge0 at pci4 dev 0 function 0 "Broadcom BCM5721" rev 0x21, BCM5750 C1
> > (0x4201): msi, address 00:25:64:3b:e9:34 brgphy0 at bge0 phy 1: BCM5750
> > 10/100/1000baseT PHY, rev. 0
> > ppb4 at pci0 dev 28 function 5 "Intel 82801I PCIE" rev 0x02
> > pci5 at ppb4 bus 5
> > bge1 at pci5 dev 0 function 0 "Broadcom BCM5721" rev 0x21, BCM5750 C1
> > (0x4201): msi, address 00:25:64:3b:e9:35 brgphy1 at bge1 phy 1: BCM5750
> > 10/100/1000baseT PHY, rev. 0
> > uhci0 at pci0 dev 29 function 0 "Intel 82801I USB" rev 0x02: apic 2 int 21
> > uhci1 at pci0 dev 29 function 1 "Intel 82801I USB" rev 0x02: apic 2 int 20
> > uhci2 at pci0 dev 29 function 2 "Intel 82801I USB" rev 0x02: apic 2 int 21
> > ehci0 at pci0 dev 29 function 7 "Intel 82801I USB" rev 0x02: apic 2 int 21
> > usb0 at ehci0: USB revision 2.0
> > uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
> > ppb5 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x92
> > pci6 at ppb5 bus 6
> > radeondrm0 at pci6 dev 5 function 0 "ATI ES1000" rev 0x02
> > drm0 at radeondrm0
> > radeondrm0: apic 2 int 19
> > pcib0 at pci0 dev 31 function 0 "Intel 82801IR LPC" rev 0x02
> > pciide0 at pci0 dev 31 function 2 "Intel 82801I SATA" rev 0x02: DMA,
> > channel 0 configured to native-PCI, channel 1 configured to native-PCI
> > pciide0: using apic 2 int 23 for native-PCI interrupt
> > atapiscsi0 at pciide0 channel 0 drive 1
> > scsibus2 at atapiscsi0: 2 targets
> > cd0 at scsibus2 targ 0 lun 0: <TSSTcorp, CDRWDVD TS-L463A, D550> ATAPI
> > 5/cdrom removable cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 5
> > usb1 at uhci0: USB revision 1.0
> > uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> > usb2 at uhci1: USB revision 1.0
> > uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> > usb3 at uhci2: USB revision 1.0
> > uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> > isa0 at pcib0
> > isadma0 at isa0
> > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> > pckbc0 at isa0 port 0x60/5
> > pckbd0 at pckbc0 (kbd slot)
> > pckbc0: using irq 1 for kbd slot
> > wskbd0 at pckbd0: console keyboard
> > pcppi0 at isa0 port 0x61
> > spkr0 at pcppi0
> > uhub4 at uhub0 port 5 "Cypress Semiconductor USB2 Hub" rev 2.00/0.0b addr 2
> > uhidev0 at uhub2 port 2 configuration 1 interface 0 "Tangtop USB CAT5" rev
> > 1.10/0.01 addr 2 uhidev0: iclass 3/1
> > ukbd0 at uhidev0: 8 variable keys, 6 key codes
> > wskbd1 at ukbd0 mux 1
> > uhidev1 at uhub2 port 2 configuration 1 interface 1 "Tangtop USB CAT5" rev
> > 1.10/0.01 addr 2 uhidev1: iclass 3/1
> > ums0 at uhidev1: 3 buttons, Z dir
> > wsmouse0 at ums0 mux 0
> > vscsi0 at root
> > scsibus3 at vscsi0: 256 targets
> > softraid0 at root
> > scsibus4 at softraid0: 256 targets
> > root on sd0a (4bc519b678dfdbe1.a) swap on sd0b dump on sd0b
> > drm: initializing kernel modesetting (RV100 0x1002:0x515E 0x1028:0x023C).
> > radeondrm0: VRAM: 128M 0x00000000D0000000 - 0x00000000D7FFFFFF (32M used)
> > radeondrm0: GTT: 512M 0x00000000B0000000 - 0x00000000CFFFFFFF
> > drm: PCI GART of 512M enabled (table at 0x0000000008CF9000).
> > radeondrm0: 1024x768
> > wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using
> > wskbd0 wskbd1: connecting to wsdisplay0
> > wsdisplay0: screen 1-5 added (std, vt100 emulation)
>
>
>
> --
>
> "Action without study is fatal. Study without action is futile."
> -- Mary Ritter Beard
>
>
> !DSPAM:551a98eb304869818818459!
