On 30.07.2014 21:41, Johannes L??thberg wrote:
> Hey,
>
> I was just hit by this too, and with s_client it works with -no_tls1_2
>
> --
> Sincerely,
> Johannes L??thberg
> PGP Key ID: 3A9D0BB5
Hi,
if you use OpenBSD current you could try this patch.
I like it more than disabling tls1_2, as i did in the first place, but i am
not a developer and this definitely needs some love.
Hopefully vacation will be over soon ;)
If an error occurs during the tls handshake the
connection is not downgraded to plain smtp.
So i have added IO_TLSERROR ...
Index: usr.sbin/smtpd/ioev.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/ioev.c,v
retrieving revision 1.19
diff -u -p -r1.19 ioev.c
--- usr.sbin/smtpd/ioev.c 8 Jul 2014 07:59:31 -0000 1.19
+++ usr.sbin/smtpd/ioev.c 31 Jul 2014 15:51:30 -0000
@@ -770,7 +770,7 @@ io_dispatch_connect_ssl(int fd, short ev
default:
io->error = io_ssl_error();
ssl_error("io_dispatch_connect_ssl:SSL_connect");
- io_callback(io, IO_ERROR);
+ io_callback(io, IO_TLSERROR);
break;
}
Index: usr.sbin/smtpd/ioev.h
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/ioev.h,v
retrieving revision 1.4
diff -u -p -r1.4 ioev.h
--- usr.sbin/smtpd/ioev.h 8 Jul 2014 07:59:31 -0000 1.4
+++ usr.sbin/smtpd/ioev.h 31 Jul 2014 15:51:30 -0000
@@ -21,6 +21,7 @@ enum {
IO_CONNECTED = 0, /* connection successful */
IO_TLSREADY, /* TLS started successfully */
IO_TLSVERIFIED, /* XXX - needs more work */
+ IO_TLSERROR, /* XXX - needs more work */
IO_DATAIN, /* new data in input buffer */
IO_LOWAT, /* output queue running low */
IO_DISCONNECTED, /* error? */
Index: usr.sbin/smtpd/mta_session.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/mta_session.c,v
retrieving revision 1.68
diff -u -p -r1.68 mta_session.c
--- usr.sbin/smtpd/mta_session.c 4 Jul 2014 15:24:46 -0000 1.68
+++ usr.sbin/smtpd/mta_session.c 31 Jul 2014 15:51:30 -0000
@@ -1307,6 +1307,22 @@ mta_io(struct io *io, int evt)
mta_free(s);
break;
+ case IO_TLSERROR:
+ log_debug("debug: mta: %p: TLS IO error: %s", s, io->error);
+ if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_ANYSSL))) {
+ /* error in non-strict SSL negotiation, downgrade to
plain */
+ log_info("smtp-out: TLS Error on session %016"PRIx64
+ ": TLS failed, "
+ "downgrading to plain", s->id);
+ s->flags &= ~MTA_TLS;
+ s->flags |= MTA_DOWNGRADE_PLAIN;
+ mta_connect(s);
+ break;
+ }
+ mta_error(s, "IO Error: %s", io->error);
+ mta_free(s);
+ break;
+
case IO_DISCONNECTED:
log_debug("debug: mta: %p: disconnected in state %s",
s, mta_strstate(s->state));
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
