I would guess that the misbehaving clients are early openssl betas that receive the real TLS 1.3 version and then try to interpret as whatever draft versino they actually implemnet.
-Ben On Thu, Oct 11, 2018 at 01:18:03PM -0400, Viktor Dukhovni wrote: > > Apparently, some SMTP clients set fallback_scsv when doing TLS 1.2 > with Postfix servers using OpenSSL 1.1.1. Not yet clear whether > they tried TLS 1.3 first and failed, or just sent the SCSV out of > the blue... > > See attached. If this is a common problem, it might be useful to > have a control that tolerates "downgrade" to TLS 1.2, without > disabling TLS 1.3 support. In many cases, and especially opportunitistic > security, where STARTTLS can be stripped by an MiTM entirely, so > we often can't even prevent downgrades to cleartext, TLS 1.2 is > quite good enough. > > -- > Viktor. > Date: Thu, 11 Oct 2018 12:53:38 -0400 > From: Viktor Dukhovni <postfix-us...@dukhovni.org> > To: postfix-us...@postfix.org > Subject: Re: postfix & TLS1.3 problems > User-Agent: Mutt/1.10.1 (2018-07-13) > > On Thu, Oct 11, 2018 at 05:54:59PM +0200, A. Schulze wrote: > > > today I noticed a significant amount of TLS failures in my postfix log. > > > > Oct 11 17:43:35 mta postfix/smtpd[23847]: SSL_accept error from > > client.example[192.0.2.25]:34152: -1 > > > > I traced some sessions and found the problematic client is announcing > > the special cipher "TLS_FALLBACK_SCSV" > > in a TLSv1.2 ClientHello message. Now, as my server support TLSv1.3, > > my SSL library (openssl-1.1.1) assume a downgrade attack an close the > > connection with an SSL error message "inappropriate fallback" > > > > The core issue is a client with a nonconforming TLS implementation. > > Any idea what software these clients are running? Are they at all > likely to fix this any time soon? > > > To circumvent the problem I tried to disable TLS1.3 on my server by setting > > smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1.3 > > > > But that does not help. > > The Client still fail an deliver the message by falling back to plain text > > :-/ > > > > The only option to force encrypted traffic again would be a library > > downgrade on my side. > > Any other suggestions? > > Support for OpenSSL 1.1.1 and TLS 1.3 is on the list of fixes slated > for Postfix 3.4, and some may then be backported to patch levels > of earlier releases. > > In the meantime, try: > > tls_ssl_options = 0x20000000 > > which corresponds to SSL_OP_NO_TLSv1_3. I am not aware of any > method to accept the "downgrade" to TLS 1.2 without disabling TLS > 1.3 for clients that do have correct implementations. > > -- > Viktor. > _______________________________________________ > openssl-project mailing list > openssl-project@openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-project _______________________________________________ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project