On Tue, Jun 18, 2013 at 12:30:58AM -0400, Dave Thompson wrote: > > Looking at your state_debug.log (which tries 1.2) I see: > read/write preliminary SMTP as normal > write ClientHello: offer 1.2 > read ServerHello: agree 1.0 DES-CBC3-SHA > rest of handshake normal > > Aside: I notice your build (here and in no-1.2) doesn't offer IDEA, > so I'll guess it was built by longtime anti-patent person.
This is tested on Debian where it was disabled many years ago and never re-enabled. I see no reason to enable it anymore. > Then we have: > > 250 OK > > 214-This server supports the following commands: > > 214 HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ETRN BDAT > VRFY > These appear to be leftover (in mbuf) from the preliminary phase. No, this is most likely a logging problem. What happens is that I get: 250 OK I send: "HELP\r\n" I get as reply: 214-This server supports the following commands: 214 HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ETRN BDAT VRFY And after that the connection breaks. > I suggest trying the default=1.2 with -cipher RC4-MD5; if that works > try RC4-SHA with default=1.2 and also -no_tls1_2 and/or exact -tls1. > Conversely try -no_tls1_2 and/or -tls1 with -cipher DES-CBC-SHA . Using "-cipher RC4-MD5" or "-cipher RC4-SHA" I get that as cipher and have connection that stays working. Using "-no_tls1_2 -cipher DES-CBC-SHA" I get the broken connection after the HELP. My conclussions: - One of the 2 sides doesn't implement DES-CBC-SHA/DES-CBC3-SHA properly - The server seems to act weird in changing between RC4-MD5 and DES-CBC3-SHA. Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
