> >May-01-14 04:48:03 [Worker_1] <matchIP - 54.240.15.111 - noTLSIP
This special case has to be fixed.
- ASSP has removed the 'STARTTLS' offer for IP '54.240.15.111'
- how ever, this stupid client uses the STARTTLS command
- the assp BUG accepts the STARTTLS instead to reply '502 not implemeted'
- the SSL handshake failes
see:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/861137
http://openssl.6102.n7.nabble.com/Client-certificate-chains-td26513.html
or simply search the net for 'openssl error:14094438'
>With the SSL Debug log level setting, I am rather unclear which setting
>is considered the highest, Level 1 or Level 3?
Set the debug-level for SSL/TLS. Than higher the level, than more
information are written to STDOUT!
To be clear - 1 is less than 3 - so level 1 is less than level 3 :)
Thomas
Von: "Mr. Courtney Creighton" <a...@dezignguy.com>
An: For Users of ASSP <assp-user@lists.sourceforge.net>,
Datum: 01.05.2014 14:19
Betreff: Re: [Assp-user] SSL errors from Amazon mailservers
Well, were there changes in ASSP that would affect this between b14058
and b14097? Since I hadn't had any problems before that upgrade, and
OpenSSL has stayed the same throughout.
Here's the debug info back, with a number of the lines above the error:
>May-01-14 04:48:03 [Worker_1] <sq: IO::Socket::INET=GLOB(0x15c05f98)
l=10
>May-01-14 04:48:03 [Worker_1] <IO::Socket::INET=GLOB(0x15c05f98) l=10
>May-01-14 04:48:03 [Worker_1] <wrote:
IO::Socket::INET=GLOB(0x15c05f98) (10)
>May-01-14 04:48:03 [Worker_1] <SMTPTraffic - read OK
>May-01-14 04:48:03 [Worker_1] <SMTPTraffic - process read
>May-01-14 04:48:03 [Worker_1] <doing line <220 TLS go ahead[CR][LF]
>
>May-01-14 04:48:03 [Worker_1] <reply - 220 TLS go ahead[CR][LF]
>May-01-14 04:48:03 [Worker_1] <illegal STARTTLS request without TLS
ready from server
>May-01-14 04:48:03 [Worker_1] <matchIP - 54.240.15.111 - noTLSIP
>May-01-14 04:48:03 [Worker_1] <NoLoopSyswrite
>May-01-14 04:48:03 [Worker_1] <NoLoopSyswrite - write(30
IO::Socket::INET=GLOB(0x13b30ff8)): '220 TLS go ahead[CR][LF]
' - 18
>May-01-14 04:48:03 [Worker_1] <NoLoopSyswrite - wrote: 18 to
IO::Socket::INET=GLOB(0x13b30ff8)
>May-01-14 04:48:03 [Worker_1] <TimeZoneDiff: -25200 seconds to GMT
>May-01-14 04:48:03 [Worker_1] <headerWrap
>May-01-14 04:48:03 [Worker_1] Info: notification message queued to
sent to ad...@admin.com
May-01-14 04:48:03 [Worker_1] 54.240.15.111 error: Couldn't upgrade to
TLS for client 54.240.15.111: SSL connect accept failed because of
handshake problems error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1
alert internal error
Is that at all helpful? I don't have any problem with most other
mailservers using STARTTLS, just Amazon's.
With the SSL Debug log level setting, I am rather unclear which setting
is considered the highest, Level 1 or Level 3?
-C
Thomas Eckardt said the following on 5/1/2014 4:14 AM:
>> I tried various changes to (SSL_version)
> - use a version 1.x.x of OpenSSL - the default security and cipher setup
> has been changed from version 0.9.x to 1.x.x
> - setup the default behavior of OpenSSL in the OpenSSL config file
> - setup 'SSL_version'
> - setup 'SSL_cipher_list'
>
> if you need to setup some very special parameters on your
> SSL-SMTP-Listeners use the 'SSLSMTPConfigure' callback configuration
>
> notice: if the connecting Server uses a weak cipher, that is not
supported
> (rejected) by your OpenSSL setup, the handshake will fail - the same is
> the case, if your cipher is too weak for the connecting server
>
> Thomas
>
>
>
>
> Von: "Mr. Courtney Creighton" <a...@dezignguy.com>
> An: For Users of ASSP <assp-user@lists.sourceforge.net>,
> Datum: 01.05.2014 12:55
> Betreff: Re: [Assp-user] SSL errors from Amazon mailservers
>
>
>
> Ok, did some more testing for this. It looks like my mail server expects
> SSL only connections (such as port 465) to come all the way through as
> an encrypted connection and the Network Setup connections behavior has
> changed in the new ASSP version (v14068). So that's why I was also
> having problems with secure port 465. My previous setup had worked fine
> (sending everything to the listenPort), but when checking the changelog
> again, I noticed that the Network Setup settings were changed in the new
> version, and incoming SSL connections to the destination mailserver had
> to be specified as SSL in the ASSP config.
>
> Changing (smtpDestinationSSL) to use an SSL connection to the mailserver
> seems to have resolved the new problems that came up with port 465 not
> working, but I am still having trouble with Amazon's mail servers
> sending with SSL. I tried various changes to (SSL_version) and using SSL
> on (listenPort), but none of them really worked properly.
>
> I am not quite sure how Amazon's mail servers are connecting to mine
> that gets the SSL handshake error, but maybe it is related to how the
> SSL connections are proxied/not proxied now, and being unexpected by my
> mailserver, ie one side is speaking SSL and the other is speaking in
> plain text. SSL and TLS work fine for me with other combinations of
> ports, so I am not sure why it is happening with connections from Amazon
> and another regional ISP. Amazon seems to try the SSL connection first,
> and then when it fails, just switches to plain text SMTP so the email
> does get delivered in the end.
>
> I've configured debugging for SSL on those Amazon IP addresses now, so
> perhaps that will get more information.
>
> -C
>
>
>
> Thomas Eckardt said the following on 5/1/2014 2:41 AM:
>>> Is it possible that ASSP may be advertising ciphers or encryption
>>> capabilities that it does not actually have
>> I don't see any missing parameter in V2.
>>
>> Thomas
>>
>>
>>
>> Von: "Mr. Courtney Creighton" <a...@dezignguy.com>
>> An: For Users of ASSP <assp-user@lists.sourceforge.net>,
>> Datum: 30.04.2014 09:07
>> Betreff: Re: [Assp-user] SSL errors from Amazon mailservers
>>
>>
>>
>> Yes, though the Redhat packages have newer security patches and fixes
>> backported.
>> I also note that RHEL5/CentOS5 is supported through Mar 31st, 2017.
>>
>> So do you think that this issue is indeed caused by the OpenSSL
package?
>>
>> Is it possible that ASSP may be advertising ciphers or encryption
>> capabilities that it does not actually have (because of the underlying
>> OpenSSL package) and that is why Amazon's servers persist in trying to
>> connect securely using a method that fails in the SSL handshake? Can
the
>> advertised information be changed in ASSP?
>>
>> -C
>>
>>
>>
>>
>> Thomas Eckardt said the following on 4/29/2014 9:43 AM:
>>>> OpenSSL is the default CentOS 5 RPM package, Version: 0.9.8e
>>> This is very much too old!
>>>
>>> Thomas
>>>
>>>
>>>
>>> Von: "Mr. Courtney Creighton" <a...@dezignguy.com>
>>> An: assp-user@lists.sourceforge.net,
>>> Datum: 29.04.2014 10:42
>>> Betreff: [Assp-user] SSL errors from Amazon mailservers
>>>
>>>
>>>
>>> Hi,
>>> I recently upgraded from ASSPv2 2.4.1(14058) to 2.4.1(14097). After
the
>>> upgrade I started getting alot of these SSL errors from Amazon's
>>> outgoing mailservers, for their various alerts and newsletter emails:
>>>
>>> error: Couldn't upgrade to TLS for client 54.240.15.40: SSL connect
>> accept
>>> failed because of handshake problems error:14094438:SSL
>>> routines:SSL3_READ_BYTES:tlsv1 alert internal error
>>>
>>> It also seems that I am getting a higher volume of these types of
>> errors:
>>> error: Couldn't upgrade to TLS for client 66.27.79.33: SSL accept
>> attempt
>>> failed with unknown error error:140760FC:SSL
>>> routines:SSL23_GET_CLIENT_HELLO:unknown protocol
>>>
>>> But as far as I can tell, they all seem to be "spammy" (dynamic
>>> ISP/foreign) ips, so I'm not too concerned about them. Just providing
>>> the info in case it is related.
>>>
>>> Currently running ASSP version 2.4.1(14097) (Perl 5.014003) (on linux
-
>>> Centos 5.10 64 bit)
>>>
>>> OpenSSL is the default CentOS 5 RPM package, Version: 0.9.8e Release:
>>> 27.el5_10.1
>>>
>>>
>>> If more information is still needed, I can try to grab an SSL debug
> file
>>> when Amazon sends me some more email.
>>>
>>> thanks,
>>> -Court
>>>
>>>
>
------------------------------------------------------------------------------
>>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>>> Instantly run your Selenium tests across 300+ browser/OS combos. Get
>>> unparalleled scalability from the best Selenium testing platform
>>> available.
>>> Simple to use. Nothing to install. Get started now for free."
>>> http://p.sf.net/sfu/SauceLabs
>>> _______________________________________________
>>> Assp-user mailing list
>>> Assp-user@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/assp-user
>>>
>>>
>>>
>>>
>>> DISCLAIMER:
>>> *******************************************************
>>> This email and any files transmitted with it may be confidential,
>> legally
>>> privileged and protected in law and are intended solely for the use of
>> the
>>> individual to whom it is addressed.
>>> This email was multiple times scanned for viruses. There should be no
>>> known virus in this email!
>>> *******************************************************
>>>
>>>
>>>
>>>
>>>
>
------------------------------------------------------------------------------
>>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>>> Instantly run your Selenium tests across 300+ browser/OS combos. Get
>>> unparalleled scalability from the best Selenium testing platform
>> available.
>>> Simple to use. Nothing to install. Get started now for free."
>>> http://p.sf.net/sfu/SauceLabs
>>>
>>>
>>> _______________________________________________
>>> Assp-user mailing list
>>> Assp-user@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/assp-user
>
------------------------------------------------------------------------------
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos. Get
>> unparalleled scalability from the best Selenium testing platform
>> available.
>> Simple to use. Nothing to install. Get started now for free."
>> http://p.sf.net/sfu/SauceLabs
>> _______________________________________________
>> Assp-user mailing list
>> Assp-user@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-user
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential,
> legally
>> privileged and protected in law and are intended solely for the use of
> the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>>
>>
>>
>
------------------------------------------------------------------------------
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos. Get
>> unparalleled scalability from the best Selenium testing platform
> available.
>> Simple to use. Nothing to install. Get started now for free."
>> http://p.sf.net/sfu/SauceLabs
>>
>>
>> _______________________________________________
>> Assp-user mailing list
>> Assp-user@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-user
>
------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos. Get
> unparalleled scalability from the best Selenium testing platform
> available.
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential,
legally
> privileged and protected in law and are intended solely for the use of
the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
>
>
------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos. Get
> unparalleled scalability from the best Selenium testing platform
available.
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
>
>
> _______________________________________________
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform
available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
