On Monday 04 December 2017 13:19:41 Giovanni Bechis wrote:
> On 11/10/17 17:46, Joel Sing wrote:
> [...]
>
> > I suspect this is going to be difficult to track down without being able
> > to see what is on the wire (tcpdump or 'smtpd_tls_loglevel = 3' in
> > postfix) or being able to reproduce/trigger TLS sessions from the client.
>
> postfix log file with 'smtpd_tls_loglevel = 3' attached.
> Thanks & Cheers
> Giovanni
Looking at this more closely, it is actually a different problem from the
originally reported issue (wrong version number):
Dec 4 13:09:30 thor postfix/smtpd[91646]: connect from
sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42]
Dec 4 13:09:31 thor postfix/smtpd[91646]: setting up TLS connection from
sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42]
Dec 4 13:09:31 thor postfix/smtpd[91646]:
sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42]: TLS cipher list
"aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:before/accept
initialization
...
Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 read client hello B
Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 write server hello A
Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 write certificate A
Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 write key exchange A
Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 write server done A
...
Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 flush data
Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 read client
certificate A
Dec 4 13:09:31 thor postfix/smtpd[91646]: read from 4F66840F900 [4F6048AA003]
(5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Dec 4 13:09:31 thor postfix/smtpd[91646]: read from 4F66840F900 [4F6048AA003]
(5 bytes => 5 (0x5))
Dec 4 13:09:31 thor postfix/smtpd[91646]: 0000 15 03 03 00 02
.....
Dec 4 13:09:31 thor postfix/smtpd[91646]: read from 4F66840F900 [4F6048AA008]
(2 bytes => 2 (0x2))
Dec 4 13:09:31 thor postfix/smtpd[91646]: 0000 02 2e
..
Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL3 alert read:fatal:certificate
unknown
Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:failed in SSLv3 read
client key exchange A
Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept error from
sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42]: 0
Dec 4 13:09:31 thor postfix/smtpd[91646]: warning: TLS library problem:
error:14037416:SSL routines:ACCEPT_SR_KEY_EXCH:sslv3 alert certificate
unknown:/usr/src/lib/libssl/ssl_pkt.c:1205:SSL alert number 46:
Dec 4 13:09:31 thor postfix/smtpd[91646]: lost connection after STARTTLS from
sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42]
Dec 4 13:09:31 thor postfix/smtpd[91646]: disconnect from
sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42] ehlo=1 starttls=0/1
commands=1/2
In this case the client hello has been received and the server
hello/certificate/key exchange/done has been sent, before the other side
responds with a "certificate unknown" alert - this suggests that the TLS
client is actually expecting to do some form of certificate verification
and this is failing.
Was this working prior to OpenBSD 6.2?
