On Thu Sep 05 20:04:30 2013, kde...@vogtner.de wrote: > OS: various Linuxes > Version affected: 1.0.1e > unaffected: 1.0.0h, 0.9.8y > > > openssl s_client -connect 193.142.53.22:25 -starttls smtp -state >
Well what is happening is that OpenSSL 1.0.1 and later client indicates support for TLS v1.2 and includes a set of TLS v1.2 only ciphersuites in the client hello. The server responds saying it supports TLS v1.0 *but* tries to use a TLS v1.2 only ciphersuite, specifically one with an SHA256 MAC. OpenSSL complains and that is the result. I've noticed the check doesn't always work in unreleased OpenSSL versions: I'll fix that. Work around is to disable TLS v1.2 support with -no_tls1_2 or to disable TLS v1.2 ciphersuites in the cipher string. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org