Re: TLS issue with purchase order emails from ariba.com system.

Wed, 15 Jun 2022 12:09:48 -0700 

On Wed, Jun 15, 2022 at 11:09:10PM +0530, P V Anthony wrote:

> Unfortunately I am not experienced enough to find the problem from the logs.
> 
> Any suggests?
> 
> Please note, I am still finding how to force renew with the letsencrypt 
> certs with the new renewal settings.
> 
> -------------------- start ------------------------
> Jun 15 21:13:15 mail postfix/smtpd[887899]: connect from 
> ansmtp.ariba.com[216.109.104.12]
> Jun 15 21:13:15 mail postfix/smtpd[887899]: discarding EHLO keywords: 
> CHUNKING
> Jun 15 21:13:15 mail postfix/smtpd[887899]: setting up TLS connection from 
> ansmtp.ariba.com[216.109.104.12]
> Jun 15 21:13:15 mail postfix/smtpd[887899]: ansmtp.ariba.com[216.109.104.12]: 
> TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
> Jun 15 21:13:15 mail postfix/smtpd[887899]: SSL_accept:before SSL 
> initialization
> Jun 15 21:13:15 mail postfix/smtpd[887899]: SSL_accept:before SSL 
> initialization
> Jun 15 21:13:15 mail postfix/smtpd[887899]: SSL_accept:SSLv3/TLS read client 
> hello
> Jun 15 21:13:15 mail postfix/smtpd[887899]: SSL_accept:SSLv3/TLS write server 
> hello
> Jun 15 21:13:15 mail postfix/smtpd[887899]: SSL_accept:SSLv3/TLS write 
> certificate
> Jun 15 21:13:15 mail postfix/smtpd[887899]: SSL_accept:SSLv3/TLS write key 
> exchange
> Jun 15 21:13:15 mail postfix/smtpd[887899]: SSL_accept:SSLv3/TLS write server 
> done
> Jun 15 21:13:16 mail postfix/smtpd[887899]: SSL_accept:error in SSLv3/TLS 
> write server done
> Jun 15 21:13:16 mail postfix/smtpd[887899]: SSL_accept error from 
> ansmtp.ariba.com[216.109.104.12]: Connection reset by peer

So the client drops the connection (without sending a helpful alert) in
the middle of the server sending TLS HELLO, certificate chain, (EC)DH
key exchange and TLS finished with the last write failing.

So it objected to the HELLO parameters, the certificate chain or (EC)DH
parameters.

Now you need to get a 2048-bit certificate, and change DH parameters to
2048-bit (from 4096).

A PCAP file (tcpdump capture) of traffic from "216.109.104.12" would be
useful, if even after setting less crypto maximalist parameters the
connection still fails.

    # tcpdump -s0 -w /tmp/ariba.pcap tcp port 25 and host 216.109.104.12 &

After the next transmission fails, terminate the background job with a
SIGINT.

    # kill -INT %1

That'll flush any pending packets from memory to the PCAP file.  You
can share the PCAP file with me off-list.

-- 
    Viktor.

Reply via email to