Hello OpenSSL gurus,
I found in my sendmail-8.14.7/Fedora-18-i386 queue undelivered mails,
log say 'TLS handshake failed', and when I captured traffic between
mine and destination mailserver, I got result as in attached text export
from wireshark.
And when I tried:
openssl s_client -starttls smtp -connect DestMTA -msg -debug
, I will get some as:
...
>>> TLS 1.2 Handshake [length 00f4], ClientHello
01 00 00 f0 03 03 53 3a d1 72 61 e9 9f c9 ce dc
97 e0 5d ed 70 b4 2e b5 b2 6c f0 b6 73 28 bf a3
21 6c d0 a7 cc dc 00 00 84 c0 30 c0 2c c0 28 c0
24 c0 14 c0 0a 00 a3 00 9f 00 6b 00 6a 00 39 00
38 00 88 00 87 c0 32 c0 2e c0 2a c0 26 c0 0f c0
05 00 9d 00 3d 00 35 00 84 c0 12 c0 08 00 16 00
13 c0 0d c0 03 00 0a c0 2f c0 2b c0 27 c0 23 c0
13 c0 09 00 a2 00 9e 00 67 00 40 00 33 00 32 00
9a 00 99 00 45 00 44 c0 31 c0 2d c0 29 c0 25 c0
0e c0 04 00 9c 00 3c 00 2f 00 96 00 41 00 07 c0
11 c0 07 c0 0c c0 02 00 05 00 04 00 ff 01 00 00
43 00 0b 00 04 03 00 01 02 00 0a 00 08 00 06 00
19 00 18 00 17 00 23 00 00 00 0d 00 22 00 20 06
01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04
03 03 01 03 02 03 03 02 01 02 02 02 03 01 01 00
0f 00 01 01
read from 0x8fd44e0 [0x8fdb340] (7 bytes => 7 (0x7))
0000 - 16 03 02 00 3a 02 ....:.
0007 - <SPACES/NULS>
read from 0x8fd44e0 [0x8fdb34a] (56 bytes => 56 (0x38))
0000 - 00 36 03 03 53 3a d1 72-0c 7c 8d 9e 5b ba 26 71 .6..S:.r.|..[.&q
0010 - 26 87 fd b1 ec c6 fe 4d-ee 4f d3 03 31 ea f9 2e &......M.O..1...
0020 - 5e 54 fd b8 00 00 9d 00-00 0e ff 01 00 01 00 00 ^T..............
0030 - 23 00 00 00 0f 00 01 01- #.......
<<< TLS 1.1 Handshake [length 003a], ServerHello
02 00 00 36 03 03 53 3a d1 72 0c 7c 8d 9e 5b ba
26 71 26 87 fd b1 ec c6 fe 4d ee 4f d3 03 31 ea
f9 2e 5e 54 fd b8 00 00 9d 00 00 0e ff 01 00 01
00 00 23 00 00 00 0f 00 01 01
write to 0x8fd44e0 [0x8fe4d50] (7 bytes => 7 (0x7))
0000 - 15 03 03 00 02 02 46 ......F
>>> TLS 1.2 Alert [length 0002], fatal protocol_version
02 46
3070990124:error:1409210A:SSL routines:SSL3_GET_SERVER_HELLO:wrong ssl
version:s3_clnt.c:869:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 297 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1396363634
Timeout : 300 (sec)
Verify return code: 0 (ok)
which is perhaps same error. On mentioned 's3_clnt.c' line is code:
d=p=(unsigned char *)s->init_msg;
if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
{
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
s->version=(s->version&0xff00)|p[1];
al=SSL_AD_PROTOCOL_VERSION;
goto f_err;
}
As I'm not programmer, I was not able tracking it more closely, only
I suspect that one version values may be the record layer version
number (0x0302 ~ TLS 1.1) and other may be Server Hello version values
(0x0303 ~ TLS 1.2). But according to e.g. this article:
http://security.stackexchange.com/questions/29314/what-is-the-significance-of-the-version-field-in-a-tls-1-1-clienthello-message
, I cite:
...
The response from the server states the protocol version which will be
used, and should come as records bearing that version. E.g. if the server
says "TLS 1.1" in its ServerHello then that ServerHello should come
wrapped into a record also tagged as "TLS 1.1"; and all subsequent records
from both client and server should use that version.
...
these values _SHOULD_ be same, but I nowhere found that _MUST_ be same.
Thus, I not know, when is problem on remote server side, or in my
sendmail with openssl-1.0.1e.
Can, please, anyone advise what the problem is, and if so, whether
it can be solved on my side?
TIA, Franta Hanzlik
...
No. Time Source Destination Protocol Info
4 10.836313 89.24.112.34 85.13.84.100 SMTP S: 220
elfetex.cz Kerio Connect 8.2.2 ESMTP ready
Frame 4: 114 bytes on wire (912 bits), 114 bytes captured (912 bits)
Ethernet II, Src: Routerbo_78:ac:ba (00:0c:42:78:ac:ba), Dst: Intel_bb:7f:e3
(00:02:b3:bb:7f:e3)
Internet Protocol Version 4, Src: 89.24.112.34 (89.24.112.34), Dst:
85.13.84.100 (85.13.84.100)
Transmission Control Protocol, Src Port: 25 (25), Dst Port: 52187 (52187), Seq:
1, Ack: 1, Len: 48
Simple Mail Transfer Protocol
Response: 220 elfetex.cz Kerio Connect 8.2.2 ESMTP ready\r\n
Response code: <domain> Service ready (220)
Response parameter: elfetex.cz Kerio Connect 8.2.2 ESMTP ready
...
No. Time Source Destination Protocol Info
6 10.836414 85.13.84.100 89.24.112.34 SMTP C:
EHLO kominy.betonstavby.cz
Frame 6: 94 bytes on wire (752 bits), 94 bytes captured (752 bits)
Ethernet II, Src: Intel_bb:7f:e3 (00:02:b3:bb:7f:e3), Dst: Routerbo_78:ac:ba
(00:0c:42:78:ac:ba)
Internet Protocol Version 4, Src: 85.13.84.100 (85.13.84.100), Dst:
89.24.112.34 (89.24.112.34)
Transmission Control Protocol, Src Port: 52187 (52187), Dst Port: 25 (25), Seq:
1, Ack: 49, Len: 28
Simple Mail Transfer Protocol
Command Line: EHLO kominy.betonstavby.cz\r\n
Command: EHLO
Request parameter: kominy.betonstavby.cz
...
No. Time Source Destination Protocol Info
8 10.847322 89.24.112.34 85.13.84.100 SMTP S: 250
elfetex.cz | 250 AUTH CRAM-MD5 PLAIN LOGIN DIGEST-MD5 | 250 STARTTLS | 250
ENHANCEDSTATUSCODES | 250 8BITMIME | 250 PIPELINING | 250 ETRN | 250 DSN | 250
HELP
Frame 8: 222 bytes on wire (1776 bits), 222 bytes captured (1776 bits)
Ethernet II, Src: Routerbo_78:ac:ba (00:0c:42:78:ac:ba), Dst: Intel_bb:7f:e3
(00:02:b3:bb:7f:e3)
Internet Protocol Version 4, Src: 89.24.112.34 (89.24.112.34), Dst:
85.13.84.100 (85.13.84.100)
Transmission Control Protocol, Src Port: 25 (25), Dst Port: 52187 (52187), Seq:
49, Ack: 29, Len: 156
Simple Mail Transfer Protocol
Response: 250-elfetex.cz\r\n
Response code: Requested mail action okay, completed (250)
Response parameter: elfetex.cz
Response: 250-AUTH CRAM-MD5 PLAIN LOGIN DIGEST-MD5\r\n
Response code: Requested mail action okay, completed (250)
Response parameter: AUTH CRAM-MD5 PLAIN LOGIN DIGEST-MD5
Response: 250-STARTTLS\r\n
Response code: Requested mail action okay, completed (250)
Response parameter: STARTTLS
Response: 250-ENHANCEDSTATUSCODES\r\n
Response code: Requested mail action okay, completed (250)
Response parameter: ENHANCEDSTATUSCODES
Response: 250-8BITMIME\r\n
Response code: Requested mail action okay, completed (250)
Response parameter: 8BITMIME
Response: 250-PIPELINING\r\n
Response code: Requested mail action okay, completed (250)
Response parameter: PIPELINING
Response: 250-ETRN\r\n
Response code: Requested mail action okay, completed (250)
Response parameter: ETRN
Response: 250-DSN\r\n
Response code: Requested mail action okay, completed (250)
Response parameter: DSN
Response: 250 HELP\r\n
Response code: Requested mail action okay, completed (250)
Response parameter: HELP
No. Time Source Destination Protocol Info
9 10.847822 85.13.84.100 89.24.112.34 SMTP C:
STARTTLS
Frame 9: 76 bytes on wire (608 bits), 76 bytes captured (608 bits)
Ethernet II, Src: Intel_bb:7f:e3 (00:02:b3:bb:7f:e3), Dst: Routerbo_78:ac:ba
(00:0c:42:78:ac:ba)
Internet Protocol Version 4, Src: 85.13.84.100 (85.13.84.100), Dst:
89.24.112.34 (89.24.112.34)
Transmission Control Protocol, Src Port: 52187 (52187), Dst Port: 25 (25), Seq:
29, Ack: 205, Len: 10
Simple Mail Transfer Protocol
Command Line: STARTTLS\r\n
Command: STAR
Request parameter: TLS
No. Time Source Destination Protocol Info
10 10.868465 89.24.112.34 85.13.84.100 SMTP S: 220
2.0.0 Ready to start TLS
Frame 10: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Routerbo_78:ac:ba (00:0c:42:78:ac:ba), Dst: Intel_bb:7f:e3
(00:02:b3:bb:7f:e3)
Internet Protocol Version 4, Src: 89.24.112.34 (89.24.112.34), Dst:
85.13.84.100 (85.13.84.100)
Transmission Control Protocol, Src Port: 25 (25), Dst Port: 52187 (52187), Seq:
205, Ack: 39, Len: 30
Simple Mail Transfer Protocol
Response: 220 2.0.0 Ready to start TLS\r\n
Response code: <domain> Service ready (220)
Response parameter: 2.0.0 Ready to start TLS
No. Time Source Destination Protocol Info
11 10.868678 85.13.84.100 89.24.112.34 TLSv1.1 Client
Hello
Frame 11: 311 bytes on wire (2488 bits), 311 bytes captured (2488 bits)
Ethernet II, Src: Intel_bb:7f:e3 (00:02:b3:bb:7f:e3), Dst: Routerbo_78:ac:ba
(00:0c:42:78:ac:ba)
Internet Protocol Version 4, Src: 85.13.84.100 (85.13.84.100), Dst:
89.24.112.34 (89.24.112.34)
Transmission Control Protocol, Src Port: 52187 (52187), Dst Port: 25 (25), Seq:
39, Ack: 235, Len: 245
Secure Sockets Layer
TLSv1.1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 240
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 236
Version: TLS 1.2 (0x0303)
Random
gmt_unix_time: Apr 1, 2014 13:25:47.000000000 CEST
random_bytes:
546c662498a5362cb184383fb859a67460b28b3056041cf2...
Session ID Length: 0
Cipher Suites Length: 132
Cipher Suites (66 suites)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 63
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 8
Elliptic Curves Length: 6
Elliptic curves (3 curves)
Extension: signature_algorithms
Type: signature_algorithms (0x000d)
Length: 34
Data (34 bytes)
Extension: Heartbeat
Type: Heartbeat (0x000f)
Length: 1
Mode: Peer allowed to send requests (1)
No. Time Source Destination Protocol Info
12 10.892172 89.24.112.34 85.13.84.100 TLSv1.1 Server
Hello, Certificate, Server Hello Done
Frame 12: 967 bytes on wire (7736 bits), 967 bytes captured (7736 bits)
Ethernet II, Src: Routerbo_78:ac:ba (00:0c:42:78:ac:ba), Dst: Intel_bb:7f:e3
(00:02:b3:bb:7f:e3)
Internet Protocol Version 4, Src: 89.24.112.34 (89.24.112.34), Dst:
85.13.84.100 (85.13.84.100)
Transmission Control Protocol, Src Port: 25 (25), Dst Port: 52187 (52187), Seq:
235, Ack: 284, Len: 901
Secure Sockets Layer
TLSv1.1 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.1 (0x0302)
Length: 86
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 82
Version: TLS 1.2 (0x0303)
Random
gmt_unix_time: Apr 1, 2014 13:25:48.000000000 CEST
random_bytes:
57d237b6971d3d60258c2a44d2bc3568f5bb83c6b4f9a985...
Session ID Length: 32
Session ID: 90f27cda2b61d74f11a78a4877474f306a9ba0997a62dadb...
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Compression Method: null (0)
Extensions Length: 10
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
Extension: Heartbeat
Type: Heartbeat (0x000f)
Length: 1
Mode: Peer allowed to send requests (1)
TLSv1.1 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.1 (0x0302)
Length: 796
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 792
Certificates Length: 789
Certificates (789 bytes)
TLSv1.1 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: TLS 1.1 (0x0302)
Length: 4
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
No. Time Source Destination Protocol Info
13 10.892311 85.13.84.100 89.24.112.34 TLSv1.1 Alert
(Level: Fatal, Description: Protocol Version)
Frame 13: 73 bytes on wire (584 bits), 73 bytes captured (584 bits)
Ethernet II, Src: Intel_bb:7f:e3 (00:02:b3:bb:7f:e3), Dst: Routerbo_78:ac:ba
(00:0c:42:78:ac:ba)
Internet Protocol Version 4, Src: 85.13.84.100 (85.13.84.100), Dst:
89.24.112.34 (89.24.112.34)
Transmission Control Protocol, Src Port: 52187 (52187), Dst Port: 25 (25), Seq:
284, Ack: 1136, Len: 7
Secure Sockets Layer
TLSv1.1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Protocol Version (70)
No. Time Source Destination Protocol Info
14 10.893910 85.13.84.100 89.24.112.34 TCP 52187
> 25 [RST, ACK] Seq=291 Ack=1136 Win=32128 Len=0 TSval=1279452050 TSecr=70830635
Frame 14: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Intel_bb:7f:e3 (00:02:b3:bb:7f:e3), Dst: Routerbo_78:ac:ba
(00:0c:42:78:ac:ba)
Internet Protocol Version 4, Src: 85.13.84.100 (85.13.84.100), Dst:
89.24.112.34 (89.24.112.34)
Transmission Control Protocol, Src Port: 52187 (52187), Dst Port: 25 (25), Seq:
291, Ack: 1136, Len: 0
