subject:"Re\: \[openssl\-users\] Unable to STARTTLS behind a specific network"

Re: [openssl-users] Unable to STARTTLS behind a specific network

2016-12-23 Thread Hoggins!

Yes, confirmed here !

Le 22/12/2016 à 15:24, Salz, Rich a écrit :
> Errno104 is usually "connection reset by peer" which means that the other 
> side said "go away"

Both parties receive an RST from "the middle" as shown in the tcpdump
captures (output1 from client, output0 from server).
Now I have to try to deal with the network administrator to understand
why this happens, and what they're trying to do.

Hoggins!


output0
Description: Binary data


output1
Description: Binary data


signature.asc
Description: OpenPGP digital signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Unable to STARTTLS behind a specific network

2016-12-23 Thread Hoggins!

Hello all,

Thank you for your help !

Le 22/12/2016 à 17:58, Viktor Dukhovni a écrit :
>> On Dec 22, 2016, at 5:30 AM, Hoggins!  wrote:
>>
>> So what I do is :
>>
>>$ openssl s_client -starttls smtp -crlf -connect newdude.radiom.fr:5000
> This (well essentially this, but with the Postfix "posttls-finger" utility)
> works for me from my MTA host:
>
> $ posttls-finger -d sha512 "[newdude.radiom.fr]:5000"
> posttls-finger: using DANE RR: _5000._tcp.newdude.radiom.fr IN TLSA 3 0 2 
> 95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12
> posttls-finger: Connected to newdude.radiom.fr[188.165.117.231]:5000
> posttls-finger: < 220 newdude.radiom.fr ESMTP Sendmail 8.15.2/8.15.2; Thu, 22 
> Dec 2016 17:54:11 +0100
> posttls-finger: > EHLO mournblade.imrryr.org
> posttls-finger: < 250-newdude.radiom.fr Hello mournblade.imrryr.org 
> [38.117.134.19], pleased to meet you
> posttls-finger: < 250-ENHANCEDSTATUSCODES
> posttls-finger: < 250-PIPELINING
> posttls-finger: < 250-8BITMIME
> posttls-finger: < 250-SIZE
> posttls-finger: < 250-DSN
> posttls-finger: < 250-ETRN
> posttls-finger: < 250-AUTH GSSAPI LOGIN PLAIN
> posttls-finger: < 250-STARTTLS
> posttls-finger: < 250-DELIVERBY
> posttls-finger: < 250 HELP
> posttls-finger: > STARTTLS
> posttls-finger: < 220 2.0.0 Ready to start TLS
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: depth=0 matched end 
> entity certificate sha512 digest 
> 95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: Matched 
> subjectAltName: *.radiom.fr
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: subjectAltName: 
> radiom.fr
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000 CommonName *.radiom.fr
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: 
> subject_CN=*.radiom.fr, issuer_CN=StartCom Class 2 Primary Intermediate 
> Server CA, 
> fingerprint=95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12,
>  
> pkey_fingerprint=C2:86:49:CF:64:12:52:13:CE:55:AD:84:D5:50:DF:88:42:0D:58:6D:78:B0:67:F6:F3:EE:D7:48:99:F6:28:A4:59:E4:97:08:EA:E6:DA:D8:92:92:28:C9:B8:4E:83:25:3E:1A:F6:CA:C9:94:5A:83:A7:3D:0C:9B:DA:F5:F0:37
> posttls-finger: Verified TLS connection established to 
> newdude.radiom.fr[188.165.117.231]:5000: TLSv1.2 with cipher 
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> posttls-finger: > EHLO mournblade.imrryr.org
> posttls-finger: < 250-newdude.radiom.fr Hello mournblade.imrryr.org 
> [38.117.134.19], pleased to meet you
> posttls-finger: < 250-ENHANCEDSTATUSCODES
> posttls-finger: < 250-PIPELINING
> posttls-finger: < 250-8BITMIME
> posttls-finger: < 250-SIZE
> posttls-finger: < 250-DSN
> posttls-finger: < 250-ETRN
> posttls-finger: < 250-AUTH GSSAPI LOGIN PLAIN
> posttls-finger: < 250-DELIVERBY
> posttls-finger: < 250 HELP
> posttls-finger: > QUIT
> posttls-finger: < 221 2.0.0 newdude.radiom.fr closing connection
>
>> No problem, I can communicate with the SMTP server after the STARTTLS
>> occurred.
>>
>> But behind that specific network, if I run the same command, all I get is :
>>
>>CONNECTED(0003)
>>write:errno=104
>>---
>>no peer certificate available
>>---
>>No client certificate CA names sent
>>---
>>SSL handshake has read 351 bytes and written 147 bytes
>>---
>>New, (NONE), Cipher is (NONE)
>>Secure Renegotiation IS NOT supported
>>Compression: NONE
>>Expansion: NONE
>>---
>>
>> When I compare two tcpdumps, I can clearly see that a lot of data is
>> missing, the transaction is not complete.
>>
>> Before being paranoid, I simply suspect a MTU problem, but I'm not sure
>> how this would only apply to SSL transactions.
>>
>> Should I provide tcpdumps or anything else?
> Just the PCAP file for the broken session is enough.  However, since the
> destination looks perfectly fine, the problem is surely some firewall at
> the source network that exhibits the problem, and figuring out exactly
> what's wrong with that firewall is not an OpenSSL issue.  Send the PCAP
> file to the network administrator and ask for help there.
>

Routing my traffic through an IPSec VPN directly to the host solves the
issue, so we can definitely bet on a problem on the local network.
I'm afraid the administrators are not too much into Net neutrality ;)

Cheers !

Hoggins!



signature.asc
Description: OpenPGP digital signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Unable to STARTTLS behind a specific network

2016-12-22 Thread Viktor Dukhovni


> On Dec 22, 2016, at 5:30 AM, Hoggins!  wrote:
> 
> So what I do is :
> 
>$ openssl s_client -starttls smtp -crlf -connect newdude.radiom.fr:5000

This (well essentially this, but with the Postfix "posttls-finger" utility)
works for me from my MTA host:

$ posttls-finger -d sha512 "[newdude.radiom.fr]:5000"
posttls-finger: using DANE RR: _5000._tcp.newdude.radiom.fr IN TLSA 3 0 2 
95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12
posttls-finger: Connected to newdude.radiom.fr[188.165.117.231]:5000
posttls-finger: < 220 newdude.radiom.fr ESMTP Sendmail 8.15.2/8.15.2; Thu, 22 
Dec 2016 17:54:11 +0100
posttls-finger: > EHLO mournblade.imrryr.org
posttls-finger: < 250-newdude.radiom.fr Hello mournblade.imrryr.org 
[38.117.134.19], pleased to meet you
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-SIZE
posttls-finger: < 250-DSN
posttls-finger: < 250-ETRN
posttls-finger: < 250-AUTH GSSAPI LOGIN PLAIN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-DELIVERBY
posttls-finger: < 250 HELP
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: depth=0 matched end 
entity certificate sha512 digest 
95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12
posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: Matched 
subjectAltName: *.radiom.fr
posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: subjectAltName: 
radiom.fr
posttls-finger: newdude.radiom.fr[188.165.117.231]:5000 CommonName *.radiom.fr
posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: 
subject_CN=*.radiom.fr, issuer_CN=StartCom Class 2 Primary Intermediate Server 
CA, 
fingerprint=95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12,
 
pkey_fingerprint=C2:86:49:CF:64:12:52:13:CE:55:AD:84:D5:50:DF:88:42:0D:58:6D:78:B0:67:F6:F3:EE:D7:48:99:F6:28:A4:59:E4:97:08:EA:E6:DA:D8:92:92:28:C9:B8:4E:83:25:3E:1A:F6:CA:C9:94:5A:83:A7:3D:0C:9B:DA:F5:F0:37
posttls-finger: Verified TLS connection established to 
newdude.radiom.fr[188.165.117.231]:5000: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
posttls-finger: > EHLO mournblade.imrryr.org
posttls-finger: < 250-newdude.radiom.fr Hello mournblade.imrryr.org 
[38.117.134.19], pleased to meet you
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-SIZE
posttls-finger: < 250-DSN
posttls-finger: < 250-ETRN
posttls-finger: < 250-AUTH GSSAPI LOGIN PLAIN
posttls-finger: < 250-DELIVERBY
posttls-finger: < 250 HELP
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 newdude.radiom.fr closing connection

> No problem, I can communicate with the SMTP server after the STARTTLS
> occurred.
> 
> But behind that specific network, if I run the same command, all I get is :
> 
>CONNECTED(0003)
>write:errno=104
>---
>no peer certificate available
>---
>No client certificate CA names sent
>---
>SSL handshake has read 351 bytes and written 147 bytes
>---
>New, (NONE), Cipher is (NONE)
>Secure Renegotiation IS NOT supported
>Compression: NONE
>Expansion: NONE
>---
> 
> When I compare two tcpdumps, I can clearly see that a lot of data is
> missing, the transaction is not complete.
> 
> Before being paranoid, I simply suspect a MTU problem, but I'm not sure
> how this would only apply to SSL transactions.
> 
> Should I provide tcpdumps or anything else?

Just the PCAP file for the broken session is enough.  However, since the
destination looks perfectly fine, the problem is surely some firewall at
the source network that exhibits the problem, and figuring out exactly
what's wrong with that firewall is not an OpenSSL issue.  Send the PCAP
file to the network administrator and ask for help there.

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Unable to STARTTLS behind a specific network

2016-12-22 Thread Salz, Rich

> Well, the fact that it fails is confirmation :)
> 
> > But behind that specific network, if I run the same command, all I get is :
> >
> > CONNECTED(0003)
> > write:errno=104
> 
> Most likely there is a middlebox filtering traffic and closing the connection.
> Try an older protocol version, like -ssl3 or something.

Errno104 is usually "connection reset by peer" which means that the other side 
said "go away"
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Unable to STARTTLS behind a specific network

2016-12-22 Thread Salz, Rich

Well, the fact that it fails is confirmation :)

> But behind that specific network, if I run the same command, all I get is :
> 
> CONNECTED(0003)
> write:errno=104

Most likely there is a middlebox filtering traffic and closing the connection.  
Try an older protocol version, like -ssl3 or something.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Unable to STARTTLS behind a specific network

Re: [openssl-users] Unable to STARTTLS behind a specific network

Re: [openssl-users] Unable to STARTTLS behind a specific network

Re: [openssl-users] Unable to STARTTLS behind a specific network

Re: [openssl-users] Unable to STARTTLS behind a specific network

5 matches

Site Navigation

Mail list logo

Footer information