> From: [email protected] On Behalf Of Kurt Roeckx via RT > Sent: Tuesday, 18 June, 2013 12:30
> On Tue, Jun 18, 2013 at 12:30:58AM -0400, Dave Thompson wrote: > > > > Looking at your state_debug.log (which tries 1.2) I see: > > read/write preliminary SMTP as normal > > write ClientHello: offer 1.2 > > read ServerHello: agree 1.0 DES-CBC3-SHA > > rest of handshake normal > > > > Aside: I notice your build (here and in no-1.2) doesn't offer IDEA, > > so I'll guess it was built by longtime anti-patent person. > > This is tested on Debian where it was disabled many years ago and > never re-enabled. I see no reason to enable it anymore. > Okay. A little unusual, but okay. > > Then we have: > > > 250 OK > > > 214-This server supports the following commands: > > > 214 HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH > TURN ETRN BDAT > > VRFY > > These appear to be leftover (in mbuf) from the preliminary phase. > > No, this is most likely a logging problem. > What happens is that I get: > 250 OK > > I send: "HELP\r\n" > > I get as reply: > 214-This server supports the following commands: > 214 HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH > TURN ETRN BDAT VRFY > But this appeared before the -debug display of the outgoing (1+1) messages or any incoming messages? I agree that looks like a logging problem, which worries me because then I can't be entirely certain of the other stuff in the log. > And after that the connection breaks. > > > I suggest trying the default=1.2 with -cipher RC4-MD5; if > that works > > try RC4-SHA with default=1.2 and also -no_tls1_2 and/or exact -tls1. > > Conversely try -no_tls1_2 and/or -tls1 with -cipher DES-CBC-SHA . > Oops! I meant DES-CBC3-SHA; never use any single-DES mode. (Openssl probably should have named them 3DES-CBC or even 3DES-EDE-CBC like other folks did, it makes more sense to have the encryption primitive all in one place. Oh well, too late now.) > Using "-cipher RC4-MD5" or "-cipher RC4-SHA" I get that as cipher > and have connection that stays working. > > Using "-no_tls1_2 -cipher DES-CBC-SHA" I get the broken connection > after the HELP. > So if RC4 works regardless after any handshake and DES-CBC3 fails ditto ... > My conclussions: > - One of the 2 sides doesn't implement > DES-CBC-SHA/DES-CBC3-SHA properly ... I think you're right and I suspect the other side because openssl interoperates with lots of folks -- unless there's something badly off in your build of openssl. Can you connect with DES-CBC3-SHA to usual suspects like google? I think commandline nowadays picks up engines from openssl.cnf even if you don't explicitly ask -- do you have any configured? If you didn't build from source, can you try that? > - The server seems to act weird in changing between RC4-MD5 and > DES-CBC3-SHA. > That is kinda weird, though not in itself improper. It it (correctly!) implements both, and the client offers both (and openssl s_client by default offers nearly everything) it is allowed to choose between them. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
