Re: Postfix / OpenSSL signal 11 on delivery from ebay

[Viktor Dukhovni]

On Sat, Mar 21, 2015 at 08:00:55PM -0400, Wietse Venema wrote:

> 
> /usr/local/bin/openssl s_client -no_ssl2 -cipher aNULL -connect localhost:25 
> -starttls smtp
> WARNING: can't open config file: /usr/local/openssl/openssl.cnf
> CONNECTED(00000003)
> 34381555576:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
> failure:s23_lib.c:184:

Actually, I think you *are* reproducing the problem.  See the line
above!  The server aborts late in the handshake which does not
complete, but the client outputs the detail below.

> New, TLSv1/SSLv3, Cipher is AECDH-AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : AECDH-AES256-SHA
>     Session-ID: 
>     Session-ID-ctx: 
>     Master-Key: 
> 7AFFF449AB83D64206D1F5855CAD2FA21A2F96CFFE485C2B0F61351676D1FF7B9AF061D0FBC4D4241BEBDE39EB505EA0
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Compression: 1 (zlib compression)
>     Start Time: 1426982287
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---

If you got your prompt back after this, the connection broke (which
is what I get below).  In particular:

    34381530680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:177:

You should likely see segfaults from the server in the logs...

-- 
        Viktor.

# /usr/local/bin/openssl s_client -starttls smtp -no_ssl2 -cipher aNULL -msg 
-tlsextdebug -connect 127.0.0.1:2525
WARNING: can't open config file: /usr/local/openssl/openssl.cnf
CONNECTED(00000003)
>>> TLS 1.2 Handshake [length 00c3], ClientHello
<<< TLS 1.2 Handshake [length 0056], ServerHello
TLS server extension "renegotiation info" (id=65281), len=1
TLS server extension "heartbeat" (id=15), len=1
<<< TLS 1.2 Handshake [length 010b], ServerKeyExchange
<<< TLS 1.2 Handshake [length 0004], ServerHelloDone
>>> TLS 1.2 Handshake [length 0086], ClientKeyExchange
>>> TLS 1.2 ChangeCipherSpec [length 0001]
>>> TLS 1.2 Handshake [length 0010], Finished
34381530680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 587 bytes and written 199 bytes
---
New, TLSv1/SSLv3, Cipher is ADH-AES256-GCM-SHA384
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ADH-AES256-GCM-SHA384
    Session-ID: 84D7CFE809814B40CA7AE25F94D3EDC1C2E3EB32805A69C8A128E0D0CA7A7055
    Session-ID-ctx: 
    Master-Key: 
EC89F8BDA7208972AD7D71D144EDBA9F365E207DA1DEFB829EC8EBCF29448D44F7A20B94AC73D74B1418E0075B2BC19D
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Compression: 1 (zlib compression)
    Start Time: 1426983439
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---