Well, were there changes in ASSP that would affect this between b14058 and b14097? Since I hadn't had any problems before that upgrade, and OpenSSL has stayed the same throughout.
Here's the debug info back, with a number of the lines above the error: >May-01-14 04:48:03 [Worker_1] <sq: IO::Socket::INET=GLOB(0x15c05f98) l=10 >May-01-14 04:48:03 [Worker_1] <IO::Socket::INET=GLOB(0x15c05f98) l=10 >May-01-14 04:48:03 [Worker_1] <wrote: IO::Socket::INET=GLOB(0x15c05f98) (10) >May-01-14 04:48:03 [Worker_1] <SMTPTraffic - read OK >May-01-14 04:48:03 [Worker_1] <SMTPTraffic - process read >May-01-14 04:48:03 [Worker_1] <doing line <220 TLS go ahead[CR][LF] > >May-01-14 04:48:03 [Worker_1] <reply - 220 TLS go ahead[CR][LF] >May-01-14 04:48:03 [Worker_1] <illegal STARTTLS request without TLS ready from server >May-01-14 04:48:03 [Worker_1] <matchIP - 54.240.15.111 - noTLSIP >May-01-14 04:48:03 [Worker_1] <NoLoopSyswrite >May-01-14 04:48:03 [Worker_1] <NoLoopSyswrite - write(30 IO::Socket::INET=GLOB(0x13b30ff8)): '220 TLS go ahead[CR][LF] ' - 18 >May-01-14 04:48:03 [Worker_1] <NoLoopSyswrite - wrote: 18 to IO::Socket::INET=GLOB(0x13b30ff8) >May-01-14 04:48:03 [Worker_1] <TimeZoneDiff: -25200 seconds to GMT >May-01-14 04:48:03 [Worker_1] <headerWrap >May-01-14 04:48:03 [Worker_1] Info: notification message queued to sent to ad...@admin.com May-01-14 04:48:03 [Worker_1] 54.240.15.111 error: Couldn't upgrade to TLS for client 54.240.15.111: SSL connect accept failed because of handshake problems error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error Is that at all helpful? I don't have any problem with most other mailservers using STARTTLS, just Amazon's. With the SSL Debug log level setting, I am rather unclear which setting is considered the highest, Level 1 or Level 3? -C Thomas Eckardt said the following on 5/1/2014 4:14 AM: >> I tried various changes to (SSL_version) > - use a version 1.x.x of OpenSSL - the default security and cipher setup > has been changed from version 0.9.x to 1.x.x > - setup the default behavior of OpenSSL in the OpenSSL config file > - setup 'SSL_version' > - setup 'SSL_cipher_list' > > if you need to setup some very special parameters on your > SSL-SMTP-Listeners use the 'SSLSMTPConfigure' callback configuration > > notice: if the connecting Server uses a weak cipher, that is not supported > (rejected) by your OpenSSL setup, the handshake will fail - the same is > the case, if your cipher is too weak for the connecting server > > Thomas > > > > > Von: "Mr. Courtney Creighton" <a...@dezignguy.com> > An: For Users of ASSP <assp-user@lists.sourceforge.net>, > Datum: 01.05.2014 12:55 > Betreff: Re: [Assp-user] SSL errors from Amazon mailservers > > > > Ok, did some more testing for this. It looks like my mail server expects > SSL only connections (such as port 465) to come all the way through as > an encrypted connection and the Network Setup connections behavior has > changed in the new ASSP version (v14068). So that's why I was also > having problems with secure port 465. My previous setup had worked fine > (sending everything to the listenPort), but when checking the changelog > again, I noticed that the Network Setup settings were changed in the new > version, and incoming SSL connections to the destination mailserver had > to be specified as SSL in the ASSP config. > > Changing (smtpDestinationSSL) to use an SSL connection to the mailserver > seems to have resolved the new problems that came up with port 465 not > working, but I am still having trouble with Amazon's mail servers > sending with SSL. I tried various changes to (SSL_version) and using SSL > on (listenPort), but none of them really worked properly. > > I am not quite sure how Amazon's mail servers are connecting to mine > that gets the SSL handshake error, but maybe it is related to how the > SSL connections are proxied/not proxied now, and being unexpected by my > mailserver, ie one side is speaking SSL and the other is speaking in > plain text. SSL and TLS work fine for me with other combinations of > ports, so I am not sure why it is happening with connections from Amazon > and another regional ISP. Amazon seems to try the SSL connection first, > and then when it fails, just switches to plain text SMTP so the email > does get delivered in the end. > > I've configured debugging for SSL on those Amazon IP addresses now, so > perhaps that will get more information. > > -C > > > > Thomas Eckardt said the following on 5/1/2014 2:41 AM: >>> Is it possible that ASSP may be advertising ciphers or encryption >>> capabilities that it does not actually have >> I don't see any missing parameter in V2. >> >> Thomas >> >> >> >> Von: "Mr. Courtney Creighton" <a...@dezignguy.com> >> An: For Users of ASSP <assp-user@lists.sourceforge.net>, >> Datum: 30.04.2014 09:07 >> Betreff: Re: [Assp-user] SSL errors from Amazon mailservers >> >> >> >> Yes, though the Redhat packages have newer security patches and fixes >> backported. >> I also note that RHEL5/CentOS5 is supported through Mar 31st, 2017. >> >> So do you think that this issue is indeed caused by the OpenSSL package? >> >> Is it possible that ASSP may be advertising ciphers or encryption >> capabilities that it does not actually have (because of the underlying >> OpenSSL package) and that is why Amazon's servers persist in trying to >> connect securely using a method that fails in the SSL handshake? Can the >> advertised information be changed in ASSP? >> >> -C >> >> >> >> >> Thomas Eckardt said the following on 4/29/2014 9:43 AM: >>>> OpenSSL is the default CentOS 5 RPM package, Version: 0.9.8e >>> This is very much too old! >>> >>> Thomas >>> >>> >>> >>> Von: "Mr. Courtney Creighton" <a...@dezignguy.com> >>> An: assp-user@lists.sourceforge.net, >>> Datum: 29.04.2014 10:42 >>> Betreff: [Assp-user] SSL errors from Amazon mailservers >>> >>> >>> >>> Hi, >>> I recently upgraded from ASSPv2 2.4.1(14058) to 2.4.1(14097). After the >>> upgrade I started getting alot of these SSL errors from Amazon's >>> outgoing mailservers, for their various alerts and newsletter emails: >>> >>> error: Couldn't upgrade to TLS for client 54.240.15.40: SSL connect >> accept >>> failed because of handshake problems error:14094438:SSL >>> routines:SSL3_READ_BYTES:tlsv1 alert internal error >>> >>> It also seems that I am getting a higher volume of these types of >> errors: >>> error: Couldn't upgrade to TLS for client 66.27.79.33: SSL accept >> attempt >>> failed with unknown error error:140760FC:SSL >>> routines:SSL23_GET_CLIENT_HELLO:unknown protocol >>> >>> But as far as I can tell, they all seem to be "spammy" (dynamic >>> ISP/foreign) ips, so I'm not too concerned about them. Just providing >>> the info in case it is related. >>> >>> Currently running ASSP version 2.4.1(14097) (Perl 5.014003) (on linux - >>> Centos 5.10 64 bit) >>> >>> OpenSSL is the default CentOS 5 RPM package, Version: 0.9.8e Release: >>> 27.el5_10.1 >>> >>> >>> If more information is still needed, I can try to grab an SSL debug > file >>> when Amazon sends me some more email. >>> >>> thanks, >>> -Court >>> >>> > ------------------------------------------------------------------------------ >>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >>> Instantly run your Selenium tests across 300+ browser/OS combos. Get >>> unparalleled scalability from the best Selenium testing platform >>> available. >>> Simple to use. Nothing to install. Get started now for free." >>> http://p.sf.net/sfu/SauceLabs >>> _______________________________________________ >>> Assp-user mailing list >>> Assp-user@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/assp-user >>> >>> >>> >>> >>> DISCLAIMER: >>> ******************************************************* >>> This email and any files transmitted with it may be confidential, >> legally >>> privileged and protected in law and are intended solely for the use of >> the >>> individual to whom it is addressed. >>> This email was multiple times scanned for viruses. There should be no >>> known virus in this email! >>> ******************************************************* >>> >>> >>> >>> >>> > ------------------------------------------------------------------------------ >>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >>> Instantly run your Selenium tests across 300+ browser/OS combos. Get >>> unparalleled scalability from the best Selenium testing platform >> available. >>> Simple to use. Nothing to install. Get started now for free." >>> http://p.sf.net/sfu/SauceLabs >>> >>> >>> _______________________________________________ >>> Assp-user mailing list >>> Assp-user@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/assp-user > ------------------------------------------------------------------------------ >> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >> Instantly run your Selenium tests across 300+ browser/OS combos. Get >> unparalleled scalability from the best Selenium testing platform >> available. >> Simple to use. Nothing to install. Get started now for free." >> http://p.sf.net/sfu/SauceLabs >> _______________________________________________ >> Assp-user mailing list >> Assp-user@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/assp-user >> >> >> >> >> DISCLAIMER: >> ******************************************************* >> This email and any files transmitted with it may be confidential, > legally >> privileged and protected in law and are intended solely for the use of > the >> individual to whom it is addressed. >> This email was multiple times scanned for viruses. There should be no >> known virus in this email! >> ******************************************************* >> >> >> >> >> > ------------------------------------------------------------------------------ >> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >> Instantly run your Selenium tests across 300+ browser/OS combos. Get >> unparalleled scalability from the best Selenium testing platform > available. >> Simple to use. Nothing to install. Get started now for free." >> http://p.sf.net/sfu/SauceLabs >> >> >> _______________________________________________ >> Assp-user mailing list >> Assp-user@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/assp-user > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. Get > unparalleled scalability from the best Selenium testing platform > available. > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > Assp-user mailing list > Assp-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-user > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > > > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. Get > unparalleled scalability from the best Selenium testing platform available. > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > > > _______________________________________________ > Assp-user mailing list > Assp-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
