Openssl handshake issues

Tue, 21 Mar 2006 12:44:34 -0800 



Hi All,
I've got a problem with flakey ssl connections on my courier mail server. I get memory errors with shared libraries stemming from a bad ssl handshake.
here's the basic stats...redhat ES 4, with openssl-0.9.7a-43.8 installed by rpm, and courier-0.43.2 w/ self signed cert 
on a machine with iptables/ipchains and SELinux disabled completely.
and here's the absolutely baffling behavior ... refuses to connect "sometimes" where I have to try a few times before it connects. this is from the local machine, slink, that is the mail server..which means users going to ssl 993 port from any mail reader experience problems. Can anyone tell me why this behavior would be occuring? Any hints or pointing in the right direction would be greatly appreciated. 

(see details below)


[EMAIL PROTECTED] init.d]# openssl s_client -connect mail:993 -ssl3
CONNECTED(00000003)
4725:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c :529: 
[EMAIL PROTECTED] init.d]# openssl s_client -connect mail:993 -ssl3
CONNECTED(00000003)
4727:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c :529:
[EMAIL PROTECTED] init.d]# openssl s_client -connect mail:993 -ssl3 *<---- SUCCESSFUL CONNECTION FINALLY* 
CONNECTED(00000003)
depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/[EMAIL PROTECTED] 
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/[EMAIL PROTECTED] 
verify return:1
---
Certificate chain
0 s:/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMA P SSL key/CN=localhost/[EMAIL PROTECTED] i:/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMA P SSL key/CN=localhost/[EMAIL PROTECTED] 
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC9zCCAmCgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBtTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhOZXcgWW9yazEcMBoGA1UEChMTQ291cmll
ciBNYWlsIFNlcnZlcjEtMCsGA1UECxMkQXV0b21hdGljYWxseS1nZW5lcmF0ZWQg
SU1BUCBTU0wga2V5MRIwEAYDVQQDEwlsb2NhbGhvc3QxJTAjBgkqhkiG9w0BCQEW
FnBvc3RtYXN0ZXJAZXhhbXBsZS5jb20wHhcNMDYwMTA5MTg1NTExWhcNMDcwMTA5
MTg1NTExWjCBtTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhO
ZXcgWW9yazEcMBoGA1UEChMTQ291cmllciBNYWlsIFNlcnZlcjEtMCsGA1UECxMk
QXV0b21hdGljYWxseS1nZW5lcmF0ZWQgSU1BUCBTU0wga2V5MRIwEAYDVQQDEwls
b2NhbGhvc3QxJTAjBgkqhkiG9w0BCQEWFnBvc3RtYXN0ZXJAZXhhbXBsZS5jb20w
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJkm68p7dSiBCX2V258aalT4T8QI
FecX9/032TNxeYrIBohe8EhHWwyIEP4T32YsgY7JMxCIdD4ESt811BQ65b/m0fVW
/xj8yafYrjt/qt5ODdUp/i/xJZ/vjx+7yHO6mSm5z3k003LaoJjufS28o+whTJU+
8VRgixo7pkxCIjVVAgMBAAGjFTATMBEGCWCGSAGG+EIBAQQEAwIGQDANBgkqhkiG
9w0BAQQFAAOBgQAFisF2ZkLY9enG0UiYf0nuxrLkNRnisKKPtCrqN256l67ekRJC
+FwfrQtr5UHOY2yy4OyHlAJbNpV6644mgi7UWYGe8ggLERSWNHuhhS4lWKdZOisA
axCETxrc8EXfUUterXdAls3d+nBI1ppPYk2eTKvqMFI+Yvx0VLU9mYRU5A==
-----END CERTIFICATE-----
subject=/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/[EMAIL PROTECTED] issuer=/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated I MAP SSL key/CN=localhost/[EMAIL PROTECTED] 
---
No client certificate CA names sent
---
SSL handshake has read 941 bytes and written 312 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
   Protocol  : SSLv3
   Cipher    : AES256-SHA
Session-ID: 8C04BB85DD7EF09B11EDDD682544AD6A2698B0C305BD3EB41389A27FB1BC9ED2 
   Session-ID-ctx:
Master-Key: CF5E1D02075AC5330228D4F9DE1B566A2E112B3380CB4F97B03B2ED7A0AF0831 D7BE70A2C9C664907DEE6480C559B00A 
   Key-Arg   : None
   Krb5 Principal: None
   Start Time: 1142970746
   Timeout   : 7200 (sec)
   Verify return code: 18 (self signed certificate)
---
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THRE AD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION XMAGICTRASH] Courier-IMA P ready. Copyright 1998-2005 Double Precision, Inc. See COPYING for distributio n information. 




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to