hi,
can you explain this diff better ?
On Thu, Jul 31, 2014 at 06:30:32PM +0200, Stefan Sieg wrote:
> On 30.07.2014 21:41, Johannes L??thberg wrote:
> > Hey,
> >
> > I was just hit by this too, and with s_client it works with -no_tls1_2
> >
> > --
> > Sincerely,
> > Johannes L??thberg
> > PGP Key ID: 3A9D0BB5
>
> Hi,
>
> if you use OpenBSD current you could try this patch.
> I like it more than disabling tls1_2, as i did in the first place, but i am
> not a developer and this definitely needs some love.
> Hopefully vacation will be over soon ;)
>
> If an error occurs during the tls handshake the
> connection is not downgraded to plain smtp.
> So i have added IO_TLSERROR ...
>
> Index: usr.sbin/smtpd/ioev.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/smtpd/ioev.c,v
> retrieving revision 1.19
> diff -u -p -r1.19 ioev.c
> --- usr.sbin/smtpd/ioev.c 8 Jul 2014 07:59:31 -0000 1.19
> +++ usr.sbin/smtpd/ioev.c 31 Jul 2014 15:51:30 -0000
> @@ -770,7 +770,7 @@ io_dispatch_connect_ssl(int fd, short ev
> default:
> io->error = io_ssl_error();
> ssl_error("io_dispatch_connect_ssl:SSL_connect");
> - io_callback(io, IO_ERROR);
> + io_callback(io, IO_TLSERROR);
> break;
> }
>
> Index: usr.sbin/smtpd/ioev.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/smtpd/ioev.h,v
> retrieving revision 1.4
> diff -u -p -r1.4 ioev.h
> --- usr.sbin/smtpd/ioev.h 8 Jul 2014 07:59:31 -0000 1.4
> +++ usr.sbin/smtpd/ioev.h 31 Jul 2014 15:51:30 -0000
> @@ -21,6 +21,7 @@ enum {
> IO_CONNECTED = 0, /* connection successful */
> IO_TLSREADY, /* TLS started successfully */
> IO_TLSVERIFIED, /* XXX - needs more work */
> + IO_TLSERROR, /* XXX - needs more work */
> IO_DATAIN, /* new data in input buffer */
> IO_LOWAT, /* output queue running low */
> IO_DISCONNECTED, /* error? */
> Index: usr.sbin/smtpd/mta_session.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/smtpd/mta_session.c,v
> retrieving revision 1.68
> diff -u -p -r1.68 mta_session.c
> --- usr.sbin/smtpd/mta_session.c 4 Jul 2014 15:24:46 -0000 1.68
> +++ usr.sbin/smtpd/mta_session.c 31 Jul 2014 15:51:30 -0000
> @@ -1307,6 +1307,22 @@ mta_io(struct io *io, int evt)
> mta_free(s);
> break;
>
> + case IO_TLSERROR:
> + log_debug("debug: mta: %p: TLS IO error: %s", s, io->error);
> + if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_ANYSSL))) {
> + /* error in non-strict SSL negotiation, downgrade to
> plain */
> + log_info("smtp-out: TLS Error on session %016"PRIx64
> + ": TLS failed, "
> + "downgrading to plain", s->id);
> + s->flags &= ~MTA_TLS;
> + s->flags |= MTA_DOWNGRADE_PLAIN;
> + mta_connect(s);
> + break;
> + }
> + mta_error(s, "IO Error: %s", io->error);
> + mta_free(s);
> + break;
> +
> case IO_DISCONNECTED:
> log_debug("debug: mta: %p: disconnected in state %s",
> s, mta_strstate(s->state));
>
>
> --
> You received this mail because you are subscribed to [email protected]
> To unsubscribe, send a mail to: [email protected]
>
--
Gilles Chehade
https://www.poolp.org @poolpOrg
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
