Hello Predrag, all.
Predrag Punosevac wrote in
<20200811212622.ugmda%[email protected]>:
|This is a regression report for 019_libssl.patch
|
|predrag@oko$ uname -a
|OpenBSD oko.int.bagdala2.net 6.7 GENERIC.MP#5 amd64
|predrag@oko$ syspatch -l
|001_wscons
|002_rpki
|003_ssh
|004_libssl
|005_unbound
|006_smtpd_sockaddr
|007_perl
|008_hid
|009_asr
|010_x509
|011_shmget
|012_tty
|013_tty
|014_iked
|015_rpki
|016_ximcp
|017_dix
|018_ximcp
|019_libssl
|
|After applying libssl binary patch to 6.7 release s-nail-14.9.19 can no
|longer close STARTTLS IPMI session with Gmail server. I recompiled
|s-nail and rebooted the machine. After reverting the patch s-nail works
|as expected. Interestingly enough I can only see this with Gmail
|servers. 019_libssl.patch doesn't break Hotmail IPMI connection. Patch
|does break SMTP session with Gmail server in the same fashion as IPMI.
|It just doesn't terminate cleanly. I don't know enough about the subject
|to look further into the problem but I am 100% sure this is LibreSSL
|bug.
Hmm. I can reproduce this here indeed.
nail: Resolving host smtp.gmail.com:587 ... done
nail: Connecting to 108.177.126.109:587 ... connected.
nail: >>> SERVER: 220 smtp.gmail.com ESMTP g9sm1477447ejf.101 - gsmtp
nail: >>> EHLO gmail.com
nail: >>> SERVER: 250-smtp.gmail.com at your service, [109.40.130.60]
...
nail: >>> STARTTLS
nail: >>> SERVER: 220 2.0.0 Ready to start TLS
nail: TLS: applying config: CipherString = TLSv1.2:!aNULL:!eNULL
nail: TLS: applying config: MinProtocol = TLSv1.2
nail: Certificate depth 2
nail: subject = /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
nail: notBefore = Dec 15 08:00:00 2006 GMT
nail: notAfter = Dec 15 08:00:00 2021 GMT
nail: issuer = /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
nail: Certificate depth 1
nail: subject = /C=US/O=Google Trust Services/CN=GTS CA 1O1
nail: notBefore = Jun 15 00:00:42 2017 GMT
nail: notAfter = Dec 15 00:00:42 2021 GMT
nail: issuer = /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
nail: Certificate depth 0
nail: subject = /C=US/ST=California/L=Mountain View/O=Google
LLC/CN=smtp.gmail.com
nail: notBefore = Jul 15 08:33:08 2020 GMT
nail: notAfter = Oct 7 08:33:08 2020 GMT
nail: issuer = /C=US/O=Google Trust Services/CN=GTS CA 1O1
nail: Comparing subject_alt_name: need<smtp.gmail.com> is<smtp.gmail.com>
nail: TLS certificate ok
nail: TLS SHA256 fingerprint:
7B:2D:63:EC:E2:4C:D5:BB:33:00:A5:65:A0:67:DA:1B:C6:B8:1F:88:6E:6B:67:78:D7:6A:AC:93:94:6E:9F:9F
nail: TLS connection using ? / AEAD-AES256-GCM-SHA384
This ? is, interesting, the "None" of
static struct a_xtls_protocol const a_xtls_protocols[] = {
{"ALL", SSL_OP_NO_SSL_MASK, 0, FAL0, TRU1, FAL0, TRU1, {0}},
{"TLSv1.3\0", SSL_OP_NO_TLSv1_3, TLS1_3_VERSION, TRU1,TRU1,FAL0,FAL0,{0}},
{"TLSv1.2", SSL_OP_NO_TLSv1_2, TLS1_2_VERSION, TRU1, TRU1, FAL0, FAL0,
{0}},
{"TLSv1.1", SSL_OP_NO_TLSv1_1, TLS1_1_VERSION, TRU1, TRU1, FAL0, FAL0,
{0}},
{"TLSv1", SSL_OP_NO_TLSv1, TLS1_VERSION, TRU1, TRU1, FAL0, FAL0, {0}},
{"SSLv3", SSL_OP_NO_SSLv3, SSL3_VERSION, TRU1, TRU1, FAL0, FAL0, {0}},
{"SSLv2", SSL_OP_NO_SSLv2, SSL2_VERSION, TRU1, TRU1, FAL0, FAL0, {0}},
{"None", SSL_OP_NO_SSL_MASK, 0, TRU1, FAL0, TRU1, FAL0, {0}}
};
after
ver = SSL_version(sop->s_tls);
for(xpp = &a_xtls_protocols[1] /* [0] == ALL */;; ++xpp)
if(xpp->xp_version == ver || xpp->xp_last){
n_err(_("TLS connection using %s / %s\n"),
(xpp->xp_last ? n_qm : xpp->xp_name),
SSL_get_cipher(sop->s_tls));
break;
}
}
I have to look there when i have time, maybe!?!
nail: >>> EHLO gmail.com
nail: >>> SERVER: 250-smtp.gmail.com at your service, [109.40.130.60]
...
nail: >>> AUTH PLAIN
nail: >>> SERVER: 334
...
nail: >>> SERVER: 354 Go ahead g9sm1477447ejf.101 - gsmtp
...
nail: >>> .
nail: >>> SERVER: 250 2.0.0 OK 1597236652 g9sm1477447ejf.101 - gsmtp
nail: >>> QUIT
nail: >>> SERVER: 221 2.0.0 closing connection g9sm1477447ejf.101 - gsmtp
And here it hangs endlessly. For now i presume it hangs at
while (!SSL_shutdown(s_tls)) /* XXX proper error handling;signals! */
;
Because the final SMTP answer has been successfully received. But
i am a bit out of ideas at the moment since i need to -KILL it, no
other signal gets through, and our socket_close() does not catch
signals. I will look a bit.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
