Viktor Dukhovni:
> On Sat, Mar 21, 2015 at 08:00:55PM -0400, Wietse Venema wrote:
>
> >
> > /usr/local/bin/openssl s_client -no_ssl2 -cipher aNULL -connect
> > localhost:25 -starttls smtp
> > WARNING: can't open config file: /usr/local/openssl/openssl.cnf
> > CONNECTED(00000003)
> > 34381555576:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> > failure:s23_lib.c:184:
>
> Actually, I think you *are* reproducing the problem. See the line
> above! The server aborts late in the handshake which does not
> complete, but the client outputs the detail below.
>
> > New, TLSv1/SSLv3, Cipher is AECDH-AES256-SHA
> > Secure Renegotiation IS supported
> > Compression: zlib compression
> > Expansion: NONE
> > SSL-Session:
> > Protocol : TLSv1.2
> > Cipher : AECDH-AES256-SHA
> > Session-ID:
> > Session-ID-ctx:
> > Master-Key:
> > 7AFFF449AB83D64206D1F5855CAD2FA21A2F96CFFE485C2B0F61351676D1FF7B9AF061D0FBC4D4241BEBDE39EB505EA0
> > Key-Arg : None
> > PSK identity: None
> > PSK identity hint: None
> > SRP username: None
> > Compression: 1 (zlib compression)
> > Start Time: 1426982287
> > Timeout : 300 (sec)
> > Verify return code: 0 (ok)
This output led me to believe that the client reported results
for an actual session.
I was under time pressure last night, so I did not look for
further trouble.
BTW mysql does not link in its own libz. Postfix links the
system libz because MYSQL_README requires it:
Postfix pre 3.0:
make -f Makefile.init makefiles \
'CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include' \
'AUXLIBS=-L/usr/local/mysql/lib -lmysqlclient -lz -lm'
So the next step is to remove the mysql client from the build.
If that works, then we could explore OpenSSL builds with libz
support, but without libz dynamic loading.
Wietse
