On Friday 10 November 2017 11:58:04 Stuart Henderson wrote:
>
> From an irc contact using LibreSSL 2.6.3 on FreeBSD:
>
> 11:14 < matt> Nov 10 11:06:06 tao postfix/smtpd[77685]: Anonymous TLS
> connection established from email.morrisons.com[192.86.55.223]: TLSv1 with
> cipher DHE-RSA-AES256-SHA (256/256 bits)
> 11:14 < matt> had to switch postfix to openssl temporarily to get that
> ...
> 11:26 < matt> using libressl 2.6.x I get this from morrisons:
> 11:27 < matt> Nov 10 10:55:57 tao postfix/smtpd[5996]: SSL_accept error from
> email.morrisons.com[192.86.55.223]: -1
> 11:27 < matt> Nov 10 10:55:57 tao postfix/smtpd[5996]: warning: TLS library
> problem: error:1403710B:SSL routines:ACCEPT_SR_KEY_EXCH:wrong version
> number:ssl_pkt.c:376:
> 11:27 < matt> Nov 10 10:55:57 tao postfix/smtpd[5996]: lost connection after
> STARTTLS from email.morrisons.com[192.86.55.223]
> 11:27 < matt> worked fine on 2.5.x
> ...
> 11:55 < matt> odd then. but yeah. works fine in 2.5.x, breaks in 2.6.x
> 11:56 < matt> it was actually broken on 2.6.0
>
> And Bernard mentioned similar yesterday.
>
> 18:55 < Barnerd> Trusted TLS connection established from
> russian-caravan.cloud9.net[2604:8d00:0:1::4]: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits) is all I really know
> 18:58 < Barnerd> Cipher works OK with OpenSMTPd :D
>
> matt has the mail accepted now and they're not triggerable remotely
> (most of their mails are sent via messagelabs, only certain marketing
> mails are sent this way) so I can't get a pcap or test on-demand.
>
> Code generating the error message here:
>
> 374 /* Lets check version */
> 375 if (!s->internal->first_packet && ssl_version !=
> s->version) {
> 376 SSLerror(s, SSL_R_WRONG_VERSION_NUMBER);
> 377 if ((s->version & 0xFF00) == (ssl_version &
> 0xFF00) &&
> 378 !s->internal->enc_write_ctx &&
> !s->internal->write_hash)
> 379 /* Send back error using their minor
> version number :-) */
> 380 s->version = ssl_version;
> 381 al = SSL_AD_PROTOCOL_VERSION;
> 382 goto f_err;
> 383 }
>
> It hasn't really changed recently, the SSLerror line was touched due to
> refactoring but no real changes there.
>
> Any ideas?
This effectively suggests that during the TLS handshake (while we're expecting
the Client Key Exchange) the client is sending a record that has a version
number that does not match what we sent in the Server Hello, which is rather
strange. Out of the changes between 2.5.3 and 2.6.0, the only version related
change was the addition of SSL_{,CTX_}_set_{min,max}_proto_version(). However,
that seems unlikely to result in specific client breakage.
I suspect this is going to be difficult to track down without being able to see
what is on the wire (tcpdump or 'smtpd_tls_loglevel = 3' in postfix) or being
able to reproduce/trigger TLS sessions from the client.
