This is a known problem in the Ironport TLS stack. Ironport has released a hot patch to address this problem.
On 05/01/2014 06:29 AM, Marcus Meissner via RT wrote: > Hi, > > SUSE has received a bugreport from a user, that the "padding" extension > change breaks IronPort SMTP appliances. > > There might a RT on this already, not sure. > > https://bugzilla.novell.com/show_bug.cgi?id=875639 > http://postfix.1071664.n5.nabble.com/OpenSSL-1-0-1g-and-Ironport-SMTP-appliances-interop-issue-td66873.html > > Quoting from our openSUSE bugreport: > > Last upgrade to openssl-1.0.1g-11.36.1.x86_64 broke SSL connections to some > services, e.g. Cisco Ironport SMTP appliances. > > 1.0.1g not only fixes the Heartbleed bug but also adds another change by > adding: > #define TLSEXT_TYPE_padding 21 > > This in turn breaks SSL connections to e.g. Ironports, probably others: > SSL23_GET_SERVER_HELLO:tlsv1 alert decode error > > Workaround: Force protocol to SSLv3 or recompile without the define above. > > For details, please refer to: > postfix.1071664.n5.nabble.com/OpenSSL-1-0-1g-and-Ironport-SMTP-appliances-interop-issue-td66873.html > > > Reproducible: Always > > Steps to Reproduce: > 1. openssl s_client -connect some.ironport.com:25 -starttls smtp > > Note: Send me an email for a hostname of an Ironport SMTP appliance to test > with. I don't want to disclose it here. > Actual Results: > CONNECTED(00000003) > 139718758192784:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert > decode error:s23_clnt.c:762: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 129 bytes and written 552 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > --- > > > Expected Results: > CONNECTED(00000003) > --- > Certificate chain > [...cut...] > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > [...cut..-] > 250 STARTTLS > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org > . > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
