Le 14/04/2013 21:21, Viktor Dukhovni a écrit :
On Sun, Apr 14, 2013 at 08:49:11PM +0000, Joan Moreau wrote:
$ openssl s_client -state -connect 127.0.0.1:12345 2>&1 | tee
client.out Ok, here it is below
Please also report "openssl version -a".
Here :
OpenSSL 1.0.1e 11 Feb 2013
built on: Sun Apr 14 17:43:32 CEST 2013
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int)
blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3
-Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/ssl"
client.out : New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit Secure Renegotiation IS supported
Compression: zlib compression Expansion: zlib compression SSL-Session:
Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384
This looks fine, OpenSSL inter-operates with itself selecting a TLSv1.2
ciphersuite. Now try:
(sleep 2; printf "%srn" QUIT) |
openssl s_client -state -connect 127.0.0.1:465 2>&1 |
tee client.out
# (sleep 2; printf "%s\r\n" QUIT) | openssl s_client -state -connect
127.0.0.1:465 2>&1 | tee client.out
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network,
OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware
verify error:num=19:self signed certificate in certificate chain
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:error in SSLv3 read server session ticket A
SSL_connect:error in SSLv3 read server session ticket A
write:errno=104
CONNECTED(00000003)
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net
i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE1zCCA7+gAwIBAgIRAKEFB6KnYccTgVUT3bw3RGYwDQYJKoZIhvcNAQEFBQAw
QTELMAkGA1UEBhMCRlIxEjAQBgNVBAoTCUdBTkRJIFNBUzEeMBwGA1UEAxMVR2Fu
ZGkgU3RhbmRhcmQgU1NMIENBMB4XDTEyMTIwODAwMDAwMFoXDTEzMTIxMTIzNTk1
OVowVTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRswGQYDVQQL
ExJHYW5kaSBTdGFuZGFyZCBTU0wxEzARBgNVBAMTCmdyb3Nqby5uZXQwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiKO6Pk90QKVi1qFMLY6XLy6PR5H/w
JKxqtNuEDSXbIMA5Y5LAsGRL90Ew0MMq47Uazu6Sdc8axT91TwPhPEbiTl2tFjto
aNXLvziCDNFzA9jtuCJ2T7gZcUx1bbJamJPsBYGmR6MbNUNHFqhtyiyomRYAIFYN
oFGANj1xJrO8hYQVw4LUYf8BX7OjbUmZrWI1JF3dJhFapL0dgQchwypuBJ20fM6C
NeHn+NL7bbZb9KAfgPn+nAmVyqqwBCLfHCxYB17sJE05A9kYdkplaZST6oYzDtkM
/zJvNxPsPyHLlIUp1R/qwynWIH2Fwx3ASs6CmETLN3tNEZe0RDs06S2PAgMBAAGj
ggG0MIIBsDAfBgNVHSMEGDAWgBS2qP+iqC/Qps1LsWjz51AQMad5ITAdBgNVHQ4E
FgQU6hNXUs/gyQfRDyDB7VR9E/DIGpYwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGAGA1UdIARZMFcw
SwYLKwYBBAGyMQECAhowPDA6BggrBgEFBQcCARYuaHR0cDovL3d3dy5nYW5kaS5u
ZXQvY29udHJhY3RzL2ZyL3NzbC9jcHMvcGRmLzAIBgZngQwBAgEwPAYDVR0fBDUw
MzAxoC+gLYYraHR0cDovL2NybC5nYW5kaS5uZXQvR2FuZGlTdGFuZGFyZFNTTENB
LmNybDBqBggrBgEFBQcBAQReMFwwNwYIKwYBBQUHMAKGK2h0dHA6Ly9jcnQuZ2Fu
ZGkubmV0L0dhbmRpU3RhbmRhcmRTU0xDQS5jcnQwIQYIKwYBBQUHMAGGFWh0dHA6
Ly9vY3NwLmdhbmRpLm5ldDAlBgNVHREEHjAcggpncm9zam8ubmV0gg53d3cuZ3Jv
c2pvLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEARgrw0G7BqzKg7KWYP0mbLEKevI5A
6aNsoxbvu9mQoKVRdF2T3qOeJtp94djI9MMVNCxfOOZukp/W5e/6vkf/3K+UQUBZ
TpVn5RxZlt5d4SOdBdXTNRmLQgGryTBVkzQvZZOHs+K5OgHGs2pPcUQcpBiZ1Vbi
cB/V/Z9lFfStouNzUigSrqH2fUzakiCFfplerdmgKiZeNyCgF4EmEFHbTmbn3L4y
puReKLl87tnZgtqxKeNjsrm+6/KLc0qZs2rZtprQ9UGKNZXRW0fzC7DFB/kC+AoX
aNrCILvl6KKvIe04MKimkkB9HwN4hY9vb4hGYX2qqn5ihFgZEg6gyc3rzA==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net
issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 4015 bytes and written 134 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key:
06931224B1AC2DCC58EB31033B3B9C3D25D3F11472B6B314DA4C02ED5D0D999398534D06D66C0FFEE6393071E3B14BB1
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Compression: 1 (zlib compression)
Start Time: 1365976854
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
(I am assuing Postfix is configured with
wrapper mode on port 465 aka "smtps") based on your reported master.cf:
YES
