> From: owner-openssl-us...@openssl.org On Behalf Of David Carvalho
> Sent: Wednesday, 09 June, 2010 06:06
> I am having trouble since I replaced my e-mail server (hardware and
to Fedora 12).
> Basically I'm using almost the same sendmail.mc file than in the
previous server
> (running openssl 0.9.6, I think).
> The problem is that Windows XP clients running Outlook, outlook
express or windows mail can not
> relay, as they fail to STARTTLS. ...
> In my previous server logs, I saw that the windows XP clients used
RC4-MD5 cipher, but now
> I get
> STARTTLS=server, error: accept failed=-1, SSL_error=5, errno=104,
retry=-1
5 is SSL_ERROR_SYSCALL -- an I/O operation (likely recv()) failed with that
errno.
On one Linux I have to hand 104 is ECONNRESET; I'm not sure it's the same on
(all)
others but that's certainly a likely I/O error on a socket. If so, either
the client
is failing or something in between like maybe a firewall is breaking your
connection.
There may be helpful log information on the client; see below. Or a net
monitor
like your ssldump below will show *when* in the protocol the problem
occurred.
(Normally I would also suggest s_server, but it doesn't do STARTTLS.)
and other times
STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0,
retry=-1
depending on wich client.
1 is SSL_ERROR_SSL which is either an actual error in the protocol or
an error reflected through the protocol i.e. a fatal alert; errno is
(usually) meaningless and the program should call SSL_print_errors[_fp]
or similar logic to get useful info. If it is not doing so and you can't
get it to (maybe some option, I don't know sendmail) monitor as above.
> I've found some information confirming this issue with older Windows
at
> http://www.skytale.net/blog/archives/22-SSL-cipher-settings.html
See below.
> From: owner-openssl-us...@openssl.org On Behalf Of David Carvalho
> Sent: Wednesday, 09 June, 2010 07:37
> Subject: openssl 1.0.0 issue with sendmail (ssldump output)
> After installing ssldump, I could compare windows xp and windows 7
clients STARTTLS negotiation.
> While the windows 7 used TLS_RSA_WITH_AES_128_CBC_SHA via
TLSv1/SSLv3
> Windows XP output is
> New TCP connection #1: 10.0.0.252(5000) <-> my.server (25)
> 1 1 0.0182 (0.0182) C>S SSLv2 compatible client hello
> Version 3.1
> cipher suites
<snipped; as per referenced website does not request AES suites>
> 1 2 0.0188 (0.0005) S>C Handshake
> ServerHello
> Version 3.1
> session_id[32]= <snipped>
> cipherSuite TLS_RSA_WITH_RC4_128_MD5
> compressionMethod NULL
> 1 3 0.0188 (0.0000) S>C Handshake
> Certificate
> 1 4 0.0202 (0.0014) S>C Handshake1 5 0.0202 (0.0000) S>C
Handshake1 0.0229 (0.0026) C>S TCP FIN
> 1 0.0230 (0.0001) S>C TCP FIN
Did you delete or suppress some details? After ServerHello server should
send
Certificate (partly shown), ServerKeyExchange and ServerHelloDone (not
show).
(Also CertRequest if you use client authentication aka client certs, but
it doesn't look you do and you certainy didn't say so.) At that point
this client apparently just closes the connection (C>S FIN then S>C FIN)
which is abnormal. Probably only the client can tell you why it did this.
Also, this doesn't show any STARTTLS; I don't know if ssldump doesn't
show pre-SSL traffic on a connection, or you suppressed it, or what.
> New TCP connection #2: 10.0.0.252(1025) <-> my.server(25)
> 2 60.0266 (60.0266) C>S TCP FIN
> 2 60.0267 (0.0000) S>C TCP FIN
This is really strange -- it connects and then does nothing for 60 seconds?
Either your monitor is missing some traffic, or this client is weird.
> So how can I enable SSLv2 support ? Is it on openssl or sendmail ?
You shouldn't want or need SSLv2 *protocol*; it's obsolete and unsafe.
As the website you referenced explicitly says. The client in this case
is offering to negotiate up to 3.1 (which is TLS1.0). Don't be fooled
by the 'SSLv2 *compatible* hello'; that doesn't mean it wants v2.
The old *ciphersuites* are still available in SSL3/TLS unless you disable
them;
the discussion on that website about !SSLv2 in the cipherstring is exactly
that.
In this case the server agreed to an RC4-MD5 suite, as you say the XP
clients
previously liked. I think only the client can say what's going on here; see
below.
A thought: is the new server using the same (keypair&)cert as the old one?
If not, does the client need to be told to trust the new one? I'd guess
that Outlook etc. would use the same truststore as IE, but that's only
a guess. But if anything I would expect newer Windows' apps to be *more*
strict here not less; IE7 certainly is.
Googling found http://www.mofeel.net/448-comp-mail-sendmail/3469.aspx
which is almost the same symptom but traced to server using DSA cert
resulting
in selecting DHE-DSS-3DES which clearly is different than your case.
(And also that case did use ClientAuth.)
Also found advice to set 'Enable logging' under Tools / Options / Other /
Advanced
which according to the help goes to \D&S\user\Local Settings\Temp
(i.e. the standard or at least usual %temp% directory) as OPMLog.log .
I happen to have XPProSP3 and Outlook2003 to a non-SSL mailserver,
and that does log; I can't verify what it does for STARTTLS+SSL.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
