Re: OpenSMTPd: Unable to use TLS/SSL over IPv6

Thu, 13 Jan 2022 16:18:47 -0800 

Hey,

On 1/13/22 19:18, Crystal Kolipe wrote:

Well, I can connect to his server using:

openssl s_client -starttls smtp -connect mail.unglaub.at:25

The handshake completes and I'm able to issue smtp commands.

However smtpd always reports that opportunistic TLS failed, and
downgrades to plaintext.
when you connect to the server, can you do the SMTP dialog? I tried it on my server and other instances running OpenSMTPd and i get the following error: 


$ openssl s_client -starttls smtp -connect mail.unglaub.at:25
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = storm-peaks.northrend.azeroth.wow-data.net
verify return:1
---
Certificate chain
 0 s:CN = storm-peaks.northrend.azeroth.wow-data.net
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
subject=CN = storm-peaks.northrend.azeroth.wow-data.net

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5457 bytes and written 420 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 HELP
EHLO unglaub.at
250-storm-peaks.northrend.azeroth.wow-data.net Hello unglaub.at 
[2001:871:210:554:6c50:40ef:c73c:d401], pleased to meet you
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-SIZE 83886080
250-DSN
250 HELP
MAIL FROM: <t...@test.com>
250 2.0.0 Ok
RCPT TO:<t...@foobar.com> RENEGOTIATING 
139809772520832:error:1420410A:SSL routines:SSL_renegotiate:wrong ssl 
version:../ssl/ssl_lib.c:2142:
Are the last two lines expected behavour? I get then on IPv4 and IPv6. Someone else beeing so kind trying to debug this send me something similar. 

I am shorting it down to the error itself:


RENEGOTIATING
139809772520832:error:1420410A:SSL routines:SSL_renegotiate:wrong ssl 
version:../ssl/ssl_lib.c:2142:


Greetings
Leo

Reply via email to