Re: tmda-ofmipd raises exception on TLS

Ole Wolf Mon, 14 Jan 2008 02:28:39 -0800

> Can you run the openssl test again in debug mode and post the openssl
> debug log (Note that this will expose some details of your certificates
> etc.). Also, when you're typing into the openssl app, pause say a couple
> seconds between each command just to make sure all the SSL protocol is
> complete each time between commands.
>
> # for --tls mode on tofmipd:
> openssl s_client -connect HOST:PORT -state -debug -crlf -starttls smtp


Sure. The debug output appended below has been reduced in a few cases,  
leaving some details out that I might not want others to know. (I  
don't know enough about certificates to know what should be revealed,  
although I would hardly believe SSL would expose any private matters  
to the openssl client.)

The SSL connection gets as far as 220 home.blazingangles.com ESMTP  
tmda-ofmipd, but then it crashes when I try the EHLO command. I also  
tried an "AUTH PLAIN <base-64 encoded username and password>", "QUIT",  
an invalid command, as well as an empty string (i.e., just "enter"),  
all with the same result.

I noticed the "error" in the certificate verification, but I guess  
that's the warning that the certificate isn't trusted. My email  
clients (both of them) warn about this and let me trust it permanently  
or temporarily. The crash occurs as soon as I press enter after  
entering the EHLO (or whatever) command.

--Ole


====================================================

$ openssl s_client -connect smtp.blazingangles.com:8025 -state -debug  
-crlf -starttls smtp

Debug output:

CONNECTED(00000003)
read from 0x9189bd8 [0x91848e0] (8192 bytes => 46 (0x2E))
0000 - 32 32 30 20 68 6f 6d 65-2e 62 6c 61 7a 69 6e 67   220 home.blazing
0010 - 61 6e 67 6c 65 73 2e 63-6f 6d 20 45 53 4d 54 50   angles.com ESMTP
0020 - 20 74 6d 64 61 2d 6f 66-6d 69 70 64 0d 0a          tmda-ofmipd..
write to 0x9189bd8 [-0x40537408] (10 bytes => 10 (0xA))
0000 - 53 54 41 52 54 54 4c 53-0d 0a                     STARTTLS..
read from 0x9189bd8 [0x91828d8] (8192 bytes => 24 (0x18))
0000 - 32 32 30 20 52 65 61 64-79 20 74 6f 20 73 74 61   220 Ready to sta
0010 - 72 74 20 54 4c 53 0d 0a-                          rt TLS..
SSL_connect:before/connect initialization
write to 0x9189bd8 [0x9189c20] (133 bytes => 133 (0x85))
0000 - 80 83 01 03 01 00 5a 00-00 00 20 00 00 39 00 00   ......Z... ..9..
  ....
0080 - ae 15 60 ad 0b                                    ..`..
SSL_connect:SSLv2/v3 write client hello A
read from 0x9189bd8 [0x918f180] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 2a 02                                 ....*.
0007 - <SPACES/NULS>
read from 0x9189bd8 [0x918f187] (40 bytes => 40 (0x28))
0000 - 00 26 03 01 00 ee 96 a6-f1 e5 80 2a 8b 6d fb 0a   .&.........*.m..
  ....
0028 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x9189bd8 [0x918f180] (5 bytes => 5 (0x5))
0000 - 16 03 01 04 42                                    ....B
read from 0x9189bd8 [0x918f185] (1090 bytes => 1090 (0x442))
0000 - 0b 00 04 3e 00 04 3b 00-04 38 30 82 04 34 30 82   ...>..;..80..40.
  ....
0440 - 42 65                                             Be
depth=0 /C=DK/ST=Nordjylland/L=Noerresundby/O=Blazing Angles/OU=Blazing Angles

SMTP/TLS/CN=smtp.blazingangles.com/[EMAIL PROTECTED]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=DK/ST=Nordjylland/L=Noerresundby/O=Blazing Angles/OU=Blazing Angles

SMTP/TLS/CN=smtp.blazingangles.com/[EMAIL PROTECTED]
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x9189bd8 [0x918f180] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04                                    .....
read from 0x9189bd8 [0x918f185] (4 bytes => 4 (0x4))
0000 - 0e                                                .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x9189bd8 [0x919a440] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7d ad 6a 2a c7   ...........}.j*.
  ....
0080 - 91 88 42 ec 1a 31 9c 2f-8c fe d0                  ..B..1./...
SSL_connect:SSLv3 write client key exchange A
write to 0x9189bd8 [0x919a440] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01                                 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x9189bd8 [0x919a440] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 c6 88 83-cb 4d 3e 14 e4 5a bb 57   ....0....M>..Z.W
  ....
0030 - da 80 16 da ed                                    .....
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x9189bd8 [0x918f180] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01                                    .....
read from 0x9189bd8 [0x918f185] (1 bytes => 1 (0x1))
0000 - 01                                                .
read from 0x9189bd8 [0x918f180] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30                                    ....0
read from 0x9189bd8 [0x918f185] (48 bytes => 48 (0x30))
0000 - 33 79 c4 c7 54 24 36 d4-dd 3e cd 53 9f aa 78 61   3y..T$6..>.S..xa
  ....
0020 - e8 4c c7 e7 1c 95 f7 7e-ce de 47 a5 d1 e4 51 87   .L.....~..G...Q.
SSL_connect:SSLv3 read finished A
---
Certificate chain
  0 s:/C=DK/ST=Nordjylland/L=Noerresundby/O=Blazing Angles/OU=Blazing Angles

SMTP/TLS/CN=smtp.blazingangles.com/[EMAIL PROTECTED]
    i:/C=DK/ST=Nordjylland/L=Noerresundby/O=Blazing Angles/OU=Blazing Angles

SMTP/TLS/CN=smtp.blazingangles.com/[EMAIL PROTECTED]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIENDCCA52gblahblahblahblahblahblahblahblahblahblahblahblahblah
  ....
In+8sVMKVxWTblahblahblahblahblah
-----END CERTIFICATE-----
subject=/C=DK/ST=Nordjylland/L=Noerresundby/O=Blazing Angles/OU=Blazing Angles

SMTP/TLS/CN=smtp.blazingangles.com/[EMAIL PROTECTED]
issuer=/C=DK/ST=Nordjylland/L=Noerresundby/O=Blazing Angles/OU=Blazing Angles

SMTP/TLS/CN=smtp.blazingangles.com/[EMAIL PROTECTED]
---
No client certificate CA names sent
---
SSL handshake has read 1280 bytes and written 341 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1
     Cipher    : AES256-SHA
     Session-ID:
     Session-ID-ctx:
     Master-Key:  
55..............................................................................................
     Key-Arg   : None
     Krb5 Principal: None
     Start Time: 1200304756
     Timeout   : 300 (sec)
     Verify return code: 18 (self signed certificate)
---
220 home.blazingangles.com ESMTP tmda-ofmipd

====================================================

(Entered:) EHLO home.blazingangles.com

Debug output:

write to 0x9189bd8 [0x9193990] (106 bytes => 106 (0x6A))
0000 - 17 03 01 00 20 e0 c4 fb-51 67 7e df 60 80 ab ef   .... ...Qg~.`...
  ....
0060 - d4 b6 6f 2d b2 9b a7 2e-11 7c                     ..o-.....|
read from 0x9189bd8 [0x918f180] (5 bytes => 0 (0x0))
read:errno=0
write to 0x9189bd8 [0x9193990] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d4 69 2b-c8 aa 36 3d 23 0d 5a b0   .... .i+..6=#.Z.
  ....
0020 - 82 77 47 20 a8                                    .wG .
SSL3 alert write:warning:close notify

====================================================

The corresponding debug output from tmda-ofmipd is as follows:

# tmda-ofmipd -d -f -p 0.0.0.0:8025 -R pop3://localhost --tls=optional  
--ssl-key=/var/qmail/ssl/smtphost.key  
--ssl-cert=/var/qmail/ssl/smtphost.cert
auth method: pop3://localhost:110/

**********************************************************************
WARNING: The security implications and risks of running /usr/bin/tmda-
ofmipd in "seteuid" mode have not been fully evaluated.  If you are
uncomfortable with this, quit now and instead run /usr/bin/tmda-ofmipd
under your non-privileged TMDA user account.
**********************************************************************

tmda-ofmipd started at Mon, 14 Jan 2008 11:11:19 +0100
         Listening on 0.0.0.0:8025
Incoming connection from: ('192.168.1.2', 55979)
Incoming connection to: ('192.168.1.2', 8025)
Data: 'STARTTLS'
Data: 'EHLO home.blazingangles.com'
error: uncaptured python exception, closing channel  
<__main__.SMTPSession connected 192.168.1.2:55979 at 0x9e84d4c> (<type  
'exceptions.ValueError'>: [/usr/lib/python2.5/asyncore.py|read|68]  
[/usr/lib/python2.5/asyncore.py|handle_read_event|390]  
[/usr/bin/tmda-ofmipd|handle_read|1285]  
[/usr/lib/python2.5/site-packages/tlslite/integration/AsyncStateMachine.py|inReadEvent|132]
 
[/usr/lib/python2.5/site-packages/tlslite/integration/AsyncStateMachine.py|_doReadOp|177]
 [/usr/bin/tmda-ofmipd|outReadEvent|1312] 
[/usr/lib/python2.5/asynchat.py|handle_read|137] 
[/usr/bin/tmda-ofmipd|found_terminator|222] 
[/usr/bin/tmda-ofmipd|smtp_EHLO|463] [/usr/bin/tmda-ofmipd|push|189] 
[/usr/lib/python2.5/asynchat.py|push|160] 
[/usr/lib/python2.5/asynchat.py|initiate_send|219] 
[/usr/bin/tmda-ofmipd|send|1331] 
[/usr/lib/python2.5/site-packages/tlslite/integration/AsyncStateMachine.py|setWriteOp|231]
 
[/usr/lib/python2.5/site-packages/tlslite/integration/AsyncStateMachine.py|_doWriteOp|181]
  
[/usr/lib/python2.5/site-packages/tlslite/TLSRecordLayer.py|writeAsync|254])

_____________________________________________
tmda-users mailing list (tmda-users@tmda.net)
http://tmda.net/lists/listinfo/tmda-users

Re: tmda-ofmipd raises exception on TLS

Reply via email to