On Tue, May 16, 2000 at 08:45:08PM -0700, Claus Assmann wrote:
> I have a question about the different SSL versions, i.e., which one
> should a client use to be interoperable? The specific problem is
> with the MTA at mail.stalker.com. I finally got around to do some
> more debugging and found out that openssl (starttls) can connect
> to it if it uses either SSLv23 with SSL_OP_NO_TLSv1 or SSLv3.
> However, in general the client should use SSLv23 without turning
> off other protocol versions, correct? So how should I write a client
> that can connect to (almost) all servers?
>
> I'm a bit irritated, because this behavior doesn't match with the
> interoperability matrix I posted back in March. Is that MTA running
> SSLv3?
First let's state that RFC2487 (the STARTTLS description) deals with
TLS, not with SSL. If an implementation also supports SSL it is also nice.
I hence feel free to rely on RFC2246 (TLSv1.0).
* Section 7.4.1.2 Client hello
...
client_version
The version of the TLS protocol by which the client wishes to
communicate during this session. This should be the latest
(highest valued) version supported by the client. For this
version of the specification, the version will be 3.1 (See
Appendix E for details about backward compatibility).
...
* Section 7.4.1.3. Server hello
...
server_version
This field will contain the lower of that suggested by the client
in the client hello and the highest supported by the server. For
this version of the specification, the version is 3.1 (See
Appendix E for details about backward compatibility).
...
* Appendix E Backward Compatibility With SSL
...
TLS version 1.0 and SSL 3.0 are very similar; thus, supporting both
is easy. TLS clients who wish to negotiate with SSL 3.0 servers
should send client hello messages using the SSL 3.0 record format and
client hello structure, sending {3, 1} for the version field to note
that they support TLS 1.0. If the server supports only SSL 3.0, it
will respond with an SSL 3.0 server hello; if it supports TLS, with a
TLS server hello. The negotiation then proceeds as appropriate for
the negotiated protocol.
Similarly, a TLS server which wishes to interoperate with SSL 3.0
clients should accept SSL 3.0 client hello messages and respond with
an SSL 3.0 server hello if an SSL 3.0 client hello is received which
has a version field of {3, 0}, denoting that this client does not
support TLS.
...
TLS 1.0 clients that support SSL Version 2.0 servers must send SSL
Version 2.0 client hello messages [SSL2]. TLS servers should accept
either client hello format if they wish to support SSL 2.0 clients on
the same connection port. The only deviations from the Version 2.0
specification are the ability to specify a version with a value of
three and the support for more ciphering types in the CipherSpec.
...
Sorry for citing so long, but I think these sections make things clear.
If CommunigatePro (at mail.stalker.com) does not understand TLSv1
(aka SSLv3.1) client hello messages it violates RFC2246 and hence RFC2487.
Ok, I have just tried to send an email to mail.stalker.com and had the
same problem you had:
May 17 10:11:58 serv01 postfix/qmgr[21907]: A7A6AA82B:
from=<[EMAIL PROTECTED]>, size=813 (queue active)
May 17 10:12:36 serv01 postfix/smtp[19121]: setting up TLS connection
May 17 10:12:37 serv01 postfix/smtp[19121]: verify error:num=20:unable to get local
issuer certificate
May 17 10:12:37 serv01 postfix/smtp[19121]: verify error:num=27:certificate not trusted
May 17 10:12:37 serv01 postfix/smtp[19121]: verify error:num=21:unable to verify the
first certificate
May 17 10:12:37 serv01 postfix/smtp[19121]: SSL3 alert read:fatal:unexpected_message
May 17 10:12:37 serv01 postfix/smtp[19121]: SSL_connect:failed in SSLv3 read finished A
May 17 10:12:37 serv01 postfix/smtp[19121]: SSL_connect error 0
May 17 10:12:37 serv01 postfix/smtp[19121]: 19121:error:140943F2:SSL
routines:SSL3_READ_BYTES:sslv3 alert unexpected message:s3_pkt.c:956:SSL alert number
10:
May 17 10:12:37 serv01 postfix/smtp[19121]: SSL session removed
I have also dumped the connection and it seems that the stalker server
accepts the TLSv1 (SSLv3.1) client hello and then answers with SSLv3
(16 03 00) thus deciding for the SSLv3 (not TLSv1) protocol.
Then (unfortunately :-) certificate information is sent. It would take
a byte-by-byte analysis of the communication or running all of this through
the debugger, both of which my time does not allow in the next days.
See it the Microsoft way: sendmail now offers STARTTLS, my Postfix/TLS
extension is to be integrated into the main package RSN. This should
put enough pressure on stalker to check out their package :-)
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
