> Can you run the openssl test again in debug mode and post the openssl > debug log (Note that this will expose some details of your certificates > etc.). Also, when you're typing into the openssl app, pause say a couple > seconds between each command just to make sure all the SSL protocol is > complete each time between commands. > > # for --tls mode on tofmipd: > openssl s_client -connect HOST:PORT -state -debug -crlf -starttls smtp
Sure. The debug output appended below has been reduced in a few cases, leaving some details out that I might not want others to know. (I don't know enough about certificates to know what should be revealed, although I would hardly believe SSL would expose any private matters to the openssl client.) The SSL connection gets as far as 220 home.blazingangles.com ESMTP tmda-ofmipd, but then it crashes when I try the EHLO command. I also tried an "AUTH PLAIN <base-64 encoded username and password>", "QUIT", an invalid command, as well as an empty string (i.e., just "enter"), all with the same result. I noticed the "error" in the certificate verification, but I guess that's the warning that the certificate isn't trusted. My email clients (both of them) warn about this and let me trust it permanently or temporarily. The crash occurs as soon as I press enter after entering the EHLO (or whatever) command. --Ole ==================================================== $ openssl s_client -connect smtp.blazingangles.com:8025 -state -debug -crlf -starttls smtp Debug output: CONNECTED(00000003) read from 0x9189bd8 [0x91848e0] (8192 bytes => 46 (0x2E)) 0000 - 32 32 30 20 68 6f 6d 65-2e 62 6c 61 7a 69 6e 67 220 home.blazing 0010 - 61 6e 67 6c 65 73 2e 63-6f 6d 20 45 53 4d 54 50 angles.com ESMTP 0020 - 20 74 6d 64 61 2d 6f 66-6d 69 70 64 0d 0a tmda-ofmipd.. write to 0x9189bd8 [-0x40537408] (10 bytes => 10 (0xA)) 0000 - 53 54 41 52 54 54 4c 53-0d 0a STARTTLS.. read from 0x9189bd8 [0x91828d8] (8192 bytes => 24 (0x18)) 0000 - 32 32 30 20 52 65 61 64-79 20 74 6f 20 73 74 61 220 Ready to sta 0010 - 72 74 20 54 4c 53 0d 0a- rt TLS.. SSL_connect:before/connect initialization write to 0x9189bd8 [0x9189c20] (133 bytes => 133 (0x85)) 0000 - 80 83 01 03 01 00 5a 00-00 00 20 00 00 39 00 00 ......Z... ..9.. .... 0080 - ae 15 60 ad 0b ..`.. SSL_connect:SSLv2/v3 write client hello A read from 0x9189bd8 [0x918f180] (7 bytes => 7 (0x7)) 0000 - 16 03 01 00 2a 02 ....*. 0007 - <SPACES/NULS> read from 0x9189bd8 [0x918f187] (40 bytes => 40 (0x28)) 0000 - 00 26 03 01 00 ee 96 a6-f1 e5 80 2a 8b 6d fb 0a .&.........*.m.. .... 0028 - <SPACES/NULS> SSL_connect:SSLv3 read server hello A read from 0x9189bd8 [0x918f180] (5 bytes => 5 (0x5)) 0000 - 16 03 01 04 42 ....B read from 0x9189bd8 [0x918f185] (1090 bytes => 1090 (0x442)) 0000 - 0b 00 04 3e 00 04 3b 00-04 38 30 82 04 34 30 82 ...>..;..80..40. .... 0440 - 42 65 Be depth=0 /C=DK/ST=Nordjylland/L=Noerresundby/O=Blazing Angles/OU=Blazing Angles SMTP/TLS/CN=smtp.blazingangles.com/[EMAIL PROTECTED] verify error:num=18:self signed certificate verify return:1 depth=0 /C=DK/ST=Nordjylland/L=Noerresundby/O=Blazing Angles/OU=Blazing Angles SMTP/TLS/CN=smtp.blazingangles.com/[EMAIL PROTECTED] verify return:1 SSL_connect:SSLv3 read server certificate A read from 0x9189bd8 [0x918f180] (5 bytes => 5 (0x5)) 0000 - 16 03 01 00 04 ..... read from 0x9189bd8 [0x918f185] (4 bytes => 4 (0x4)) 0000 - 0e . 0004 - <SPACES/NULS> SSL_connect:SSLv3 read server done A write to 0x9189bd8 [0x919a440] (139 bytes => 139 (0x8B)) 0000 - 16 03 01 00 86 10 00 00-82 00 80 7d ad 6a 2a c7 ...........}.j*. .... 0080 - 91 88 42 ec 1a 31 9c 2f-8c fe d0 ..B..1./... SSL_connect:SSLv3 write client key exchange A write to 0x9189bd8 [0x919a440] (6 bytes => 6 (0x6)) 0000 - 14 03 01 00 01 01 ...... SSL_connect:SSLv3 write change cipher spec A write to 0x9189bd8 [0x919a440] (53 bytes => 53 (0x35)) 0000 - 16 03 01 00 30 c6 88 83-cb 4d 3e 14 e4 5a bb 57 ....0....M>..Z.W .... 0030 - da 80 16 da ed ..... SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data read from 0x9189bd8 [0x918f180] (5 bytes => 5 (0x5)) 0000 - 14 03 01 00 01 ..... read from 0x9189bd8 [0x918f185] (1 bytes => 1 (0x1)) 0000 - 01 . read from 0x9189bd8 [0x918f180] (5 bytes => 5 (0x5)) 0000 - 16 03 01 00 30 ....0 read from 0x9189bd8 [0x918f185] (48 bytes => 48 (0x30)) 0000 - 33 79 c4 c7 54 24 36 d4-dd 3e cd 53 9f aa 78 61 3y..T$6..>.S..xa .... 0020 - e8 4c c7 e7 1c 95 f7 7e-ce de 47 a5 d1 e4 51 87 .L.....~..G...Q. SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=DK/ST=Nordjylland/L=Noerresundby/O=Blazing Angles/OU=Blazing Angles SMTP/TLS/CN=smtp.blazingangles.com/[EMAIL PROTECTED] i:/C=DK/ST=Nordjylland/L=Noerresundby/O=Blazing Angles/OU=Blazing Angles SMTP/TLS/CN=smtp.blazingangles.com/[EMAIL PROTECTED] --- Server certificate -----BEGIN CERTIFICATE----- MIIENDCCA52gblahblahblahblahblahblahblahblahblahblahblahblahblah .... In+8sVMKVxWTblahblahblahblahblah -----END CERTIFICATE----- subject=/C=DK/ST=Nordjylland/L=Noerresundby/O=Blazing Angles/OU=Blazing Angles SMTP/TLS/CN=smtp.blazingangles.com/[EMAIL PROTECTED] issuer=/C=DK/ST=Nordjylland/L=Noerresundby/O=Blazing Angles/OU=Blazing Angles SMTP/TLS/CN=smtp.blazingangles.com/[EMAIL PROTECTED] --- No client certificate CA names sent --- SSL handshake has read 1280 bytes and written 341 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: 55.............................................................................................. Key-Arg : None Krb5 Principal: None Start Time: 1200304756 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 220 home.blazingangles.com ESMTP tmda-ofmipd ==================================================== (Entered:) EHLO home.blazingangles.com Debug output: write to 0x9189bd8 [0x9193990] (106 bytes => 106 (0x6A)) 0000 - 17 03 01 00 20 e0 c4 fb-51 67 7e df 60 80 ab ef .... ...Qg~.`... .... 0060 - d4 b6 6f 2d b2 9b a7 2e-11 7c ..o-.....| read from 0x9189bd8 [0x918f180] (5 bytes => 0 (0x0)) read:errno=0 write to 0x9189bd8 [0x9193990] (37 bytes => 37 (0x25)) 0000 - 15 03 01 00 20 d4 69 2b-c8 aa 36 3d 23 0d 5a b0 .... .i+..6=#.Z. .... 0020 - 82 77 47 20 a8 .wG . SSL3 alert write:warning:close notify ==================================================== The corresponding debug output from tmda-ofmipd is as follows: # tmda-ofmipd -d -f -p 0.0.0.0:8025 -R pop3://localhost --tls=optional --ssl-key=/var/qmail/ssl/smtphost.key --ssl-cert=/var/qmail/ssl/smtphost.cert auth method: pop3://localhost:110/ ********************************************************************** WARNING: The security implications and risks of running /usr/bin/tmda- ofmipd in "seteuid" mode have not been fully evaluated. If you are uncomfortable with this, quit now and instead run /usr/bin/tmda-ofmipd under your non-privileged TMDA user account. ********************************************************************** tmda-ofmipd started at Mon, 14 Jan 2008 11:11:19 +0100 Listening on 0.0.0.0:8025 Incoming connection from: ('192.168.1.2', 55979) Incoming connection to: ('192.168.1.2', 8025) Data: 'STARTTLS' Data: 'EHLO home.blazingangles.com' error: uncaptured python exception, closing channel <__main__.SMTPSession connected 192.168.1.2:55979 at 0x9e84d4c> (<type 'exceptions.ValueError'>: [/usr/lib/python2.5/asyncore.py|read|68] [/usr/lib/python2.5/asyncore.py|handle_read_event|390] [/usr/bin/tmda-ofmipd|handle_read|1285] [/usr/lib/python2.5/site-packages/tlslite/integration/AsyncStateMachine.py|inReadEvent|132] [/usr/lib/python2.5/site-packages/tlslite/integration/AsyncStateMachine.py|_doReadOp|177] [/usr/bin/tmda-ofmipd|outReadEvent|1312] [/usr/lib/python2.5/asynchat.py|handle_read|137] [/usr/bin/tmda-ofmipd|found_terminator|222] [/usr/bin/tmda-ofmipd|smtp_EHLO|463] [/usr/bin/tmda-ofmipd|push|189] [/usr/lib/python2.5/asynchat.py|push|160] [/usr/lib/python2.5/asynchat.py|initiate_send|219] [/usr/bin/tmda-ofmipd|send|1331] [/usr/lib/python2.5/site-packages/tlslite/integration/AsyncStateMachine.py|setWriteOp|231] [/usr/lib/python2.5/site-packages/tlslite/integration/AsyncStateMachine.py|_doWriteOp|181] [/usr/lib/python2.5/site-packages/tlslite/TLSRecordLayer.py|writeAsync|254]) _____________________________________________ tmda-users mailing list (tmda-users@tmda.net) http://tmda.net/lists/listinfo/tmda-users