On Thu, Oct 11, 2018 at 05:54:59PM +0200, A. Schulze wrote:
> Oct 11 17:43:35 mta postfix/smtpd[23847]: SSL_accept error from
> client.example[192.0.2.25]:34152: -1
>
> I traced some sessions and found the problematic client is announcing
> the special cipher "TLS_FALLBACK_SCSV"
> in a TLSv1.2 ClientHello message. Now, as my server support TLSv1.3,
> my SSL library (openssl-1.1.1) assume a downgrade attack an close the
> connection with an SSL error message "inappropriate fallback"
PCAP files of traffic from such clients would be quite useful.
Especially, if the use of the SCSV is preceded by a failed TLS 1.3
handshake. Is there any evidence in your logs of the client attempting
some sort of connection shortly before the TLS 1.2 + SCSV?
> The core issue is a client with a nonconforming TLS implementation.
Or a middle-box between the client and your server that makes TLS
1.3 fail, with the client then retrying with TLS 1.2 + SCSV.
Please investigate further, if at all possible. Logs, PCAP files,
... The PCAP files should not be too sensitive, since presumably
the traffic is still encrypted, leaving only the IP addresses and
client/server hostnames (banner and EHLO) in the clear.
You can send me any PCAP files off-list. Since I'm also on the
OpenSSL team, insight into interoperability problems is of some
interest beyond just how to work around this in Postfix. And
of course it would be good to have better work-arounds than
completely disabling TLS 1.3.
--
Viktor.
