I would guess that the misbehaving clients are early openssl betas
that receive the real TLS 1.3 version and then try to interpret
as whatever draft versino they actually implemnet.

-Ben

On Thu, Oct 11, 2018 at 01:18:03PM -0400, Viktor Dukhovni wrote:
> 
> Apparently, some SMTP clients set fallback_scsv when doing TLS 1.2
> with Postfix servers using OpenSSL 1.1.1.  Not yet clear whether
> they tried TLS 1.3 first and failed, or just sent the SCSV out of
> the blue...
> 
> See attached.  If this is a common problem, it might be useful to
> have a control that tolerates "downgrade" to TLS 1.2, without
> disabling TLS 1.3 support.  In many cases, and especially opportunitistic
> security, where STARTTLS can be stripped by an MiTM entirely, so
> we often can't even prevent downgrades to cleartext, TLS 1.2 is
> quite good enough.
> 
> -- 
>       Viktor.

> Date: Thu, 11 Oct 2018 12:53:38 -0400
> From: Viktor Dukhovni <postfix-us...@dukhovni.org>
> To: postfix-us...@postfix.org
> Subject: Re: postfix & TLS1.3 problems
> User-Agent: Mutt/1.10.1 (2018-07-13)
> 
> On Thu, Oct 11, 2018 at 05:54:59PM +0200, A. Schulze wrote:
> 
> > today I noticed a significant amount of TLS failures in my postfix log.
> > 
> > Oct 11 17:43:35 mta postfix/smtpd[23847]: SSL_accept error from  
> > client.example[192.0.2.25]:34152: -1
> > 
> > I traced some sessions and found the problematic client is announcing  
> > the special cipher "TLS_FALLBACK_SCSV"
> > in a TLSv1.2 ClientHello message. Now, as my server support TLSv1.3,  
> > my SSL library (openssl-1.1.1) assume a downgrade attack an close the  
> > connection with an SSL error message "inappropriate fallback"
> > 
> > The core issue is a client with a nonconforming TLS implementation.
> 
> Any idea what software these clients are running?  Are they at all
> likely to fix this any time soon?
> 
> > To circumvent the problem I tried to disable TLS1.3 on my server by setting
> > smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1.3
> > 
> > But that does not help.
> > The Client still fail an deliver the message by falling back to plain text 
> > :-/
> > 
> > The only option to force encrypted traffic again would be a library  
> > downgrade on my side.
> > Any other suggestions?
> 
> Support for OpenSSL 1.1.1 and TLS 1.3 is on the list of fixes slated
> for Postfix 3.4, and some may then be backported to patch levels
> of earlier releases.
> 
> In the meantime, try:
> 
>     tls_ssl_options = 0x20000000
> 
> which corresponds to SSL_OP_NO_TLSv1_3.  I am not aware of any
> method to accept the "downgrade" to TLS 1.2 without disabling TLS
> 1.3 for clients that do have correct implementations.
> 
> -- 
>       Viktor.

> _______________________________________________
> openssl-project mailing list
> openssl-project@openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-project

_______________________________________________
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

Reply via email to