On Thu, Apr 03, 2014 at 01:18:13PM +0200, Frantisek Hanzlik wrote:
> Hello OpenSSL gurus,
>
> I found in my sendmail-8.14.7/Fedora-18-i386 queue undelivered mails,
> log say 'TLS handshake failed', and when I captured traffic between
> mine and destination mailserver, I got result as in attached text export
> from wireshark.
>
> And when I tried:
>
> openssl s_client -starttls smtp -connect DestMTA -msg -debug
I can reproduce this behaviour with the Postfix 2.11 "posttls-finger"
utility (not surprising really, since it is also linked with
OpenSSL). The behaviour is the same with OpenSSL 1.0.1 and the
1.0.2 version in git.
$ posttls-finger "[89.24.112.34]"
posttls-finger: Connected to 89.24.112.34[89.24.112.34]:25
posttls-finger: < 220 elfetex.cz Kerio Connect 8.2.2 ESMTP ready
posttls-finger: > EHLO central-dogma.lan
posttls-finger: < 250-elfetex.cz
posttls-finger: < 250-AUTH CRAM-MD5 PLAIN LOGIN DIGEST-MD5
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-ETRN
posttls-finger: < 250-DSN
posttls-finger: < 250 HELP
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: SSL_connect error to 89.24.112.34[89.24.112.34]:25: -1
posttls-finger: warning: TLS library problem: error:1409210A:SSL
routines:SSL3_GET_SERVER_HELLO:wrong ssl version:s3_clnt.c:868:
Indeed that server's response is TLS 1.1 {3, 2} at the record layer, and
TLS 1.2 {3, 3} in the server HELLO. I don't know whether rejecting
such server responses is the right behaviour, or whether the OpenSSL
client should tolerate this.
For what it is worth, Postfix will retry in cleartext after an
opportunistic TLS handshake fails. Does Sendmail not fall back to
cleartext?
--
Viktor
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
