On Thu, May 21, 2015 at 03:37:40PM +0800, King Cao wrote:
> I know there are sevel similar mail threads to discuss the TLS handshake
> failure issue (such as:
> http://comments.gmane.org/gmane.mail.postfix.user/250507). However, my
> situation is that I use same cipher list on posttls-finger and openssl
> s_client, posttls-finger failed but openssl s_client succeeded.
The actual cipherlists are only "the same", if Postfix and the openssl
command are linked with the same OpenSSL library. Otherwise, the
s_client(1) command will ignore unsupported cipherlist elements.
> # openssl ciphers 'ALL:+RC4:!3DES:@STRENGTH' -v| egrep -n 'RC4-MD5'
> 73:ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5
> 77:RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
> 78:RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
> 81:KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5
> 99:EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5
> export
> 100:EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
> export
> 101:EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
> export
> 103:EXP-KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5
> export
>
This is not meaningful, because you're counting ciphers that can't
possibly be used, e.g. PSK, and SRP.
Post "ldd" output for "posttls-finger" and "openssl".
--
Viktor.
