Re: TLS shake broken but openssl s_client succeed

King Cao Thu, 21 May 2015 01:10:56 -0700

Hi Viktor,

I execute openssl and posttls-finger on the same machine, below are the ldd
output.


 ldd /usr/bin/openssl
        linux-vdso.so.1 =>  (0x00007fff6f347000)
        libssl.so.10 => /usr/lib64/libssl.so.10 (0x0000003b66c00000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2
(0x0000003b65c00000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x0000003b65000000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x0000003b64000000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x0000003b65400000)
        libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x0000003b64400000)
        libdl.so.2 => /lib64/libdl.so.2 (0x0000003b60000000)
        libz.so.1 => /lib64/libz.so.1 (0x0000003b60400000)
        libc.so.6 => /lib64/libc.so.6 (0x0000003b5f800000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0
(0x0000003b64c00000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x0000003b65800000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x0000003b61800000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003b5fc00000)
        /lib64/ld-linux-x86-64.so.2 (0x0000003b5f400000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x0000003b60c00000)



ldd ./posttls-finger
        linux-vdso.so.1 =>  (0x00007fff76568000)
        libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007f4f17850000)
        liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007f4f17641000)
        libpcre.so.0 => /lib64/libpcre.so.0 (0x00007f4f17414000)
        libmysqlclient.so.18 => /usr/lib64/libmysqlclient.so.18
(0x00007f4f16e49000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f4f16bc5000)
        libpq.so.5 => /usr/lib64/libpq.so.5 (0x00007f4f1699c000)
        libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f4f16782000)
        libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f4f16516000)
        libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f4f16135000)
        libdb-4.7.so => /lib64/libdb-4.7.so (0x00007f4f15dc1000)
        libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f4f15ba8000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f4f1598d000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f4f155f9000)
        libssl3.so => /usr/lib64/libssl3.so (0x00007f4f153bd000)
        libsmime3.so => /usr/lib64/libsmime3.so (0x00007f4f15190000)
        libnss3.so => /usr/lib64/libnss3.so (0x00007f4f14e54000)
        libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f4f14c2e000)
        libplds4.so => /lib64/libplds4.so (0x00007f4f14a29000)
        libplc4.so => /lib64/libplc4.so (0x00007f4f14824000)
        libnspr4.so => /lib64/libnspr4.so (0x00007f4f145e7000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f4f143c9000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f4f141c5000)
        librt.so.1 => /lib64/librt.so.1 (0x00007f4f13fbd000)
        libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00007f4f13cb6000)
        libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f4f13aa0000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2
(0x00007f4f1385c000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f4f13624000)
        libldap_r-2.4.so.2 => /lib64/libldap_r-2.4.so.2 (0x00007f4f133d1000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f4f130eb000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f4f12ee6000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f4f12cba000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f4f12aa4000)
        /lib64/ld-linux-x86-64.so.2 (0x0000003b5f400000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0
(0x00007f4f12898000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f4f12695000)
        libfreebl3.so => /lib64/libfreebl3.so (0x00007f4f12432000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f4f12213000)

Regards,
King


2015-05-21 15:56 GMT+08:00 Viktor Dukhovni <postfix-us...@dukhovni.org>:

> On Thu, May 21, 2015 at 03:37:40PM +0800, King Cao wrote:
>
> > I know there are sevel similar mail threads to discuss the TLS handshake
> > failure issue (such as:
> > http://comments.gmane.org/gmane.mail.postfix.user/250507). However, my
> > situation is that I use same cipher list on posttls-finger and openssl
> > s_client, posttls-finger failed but openssl s_client succeeded.
>
> The actual cipherlists are only "the same", if Postfix and the openssl
> command are linked with the same OpenSSL library.  Otherwise, the
> s_client(1) command will ignore unsupported cipherlist elements.
>
> > # openssl ciphers 'ALL:+RC4:!3DES:@STRENGTH' -v| egrep -n 'RC4-MD5'
> > 73:ADH-RC4-MD5             SSLv3 Kx=DH       Au=None Enc=RC4(128)
> Mac=MD5
> > 77:RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)
> Mac=MD5
> > 78:RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)
> Mac=MD5
> > 81:KRB5-RC4-MD5            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)
> Mac=MD5
> > 99:EXP-ADH-RC4-MD5         SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)
>  Mac=MD5
> >  export
> > 100:EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)
>  Mac=MD5
> >  export
> > 101:EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)
>  Mac=MD5
> >  export
> > 103:EXP-KRB5-RC4-MD5        SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(40)
>  Mac=MD5
> >  export
> >
>
> This is not meaningful, because you're counting ciphers that can't
> possibly be used, e.g. PSK, and SRP.
>
> Post "ldd" output for "posttls-finger" and "openssl".
>
> --
>         Viktor.
>

Re: TLS shake broken but openssl s_client succeed

Reply via email to