On Wed, Dec 04, 2024 at 09:04:43PM +1300, Tim Harman wrote:
> > This seemed to be about TLS handshake failures, not connection loss
> > after a successful handshake... Did I misunderstand?
>
> No, you don't misunderstand. Their ticket/bug is about TLS handshake
> failing.
> I was clearly getting through that as you can see the second EHLO was issued
> after STARTTLS had completed.
> But the dates lined up with when it started failing for me and them, and the
> error message from Microsoft "Security status InvalidToken" seemed vaguely
> to sound like a "Session Ticket" even though they use the word Token.
Perhaps I'm beginning to see the light... In TLS 1.3 session tickets
work differently than in TLS 1.2, and MSFT may have rolled out TLS 1.3
support in their email stack somewhat recently.
In TLS 1.2 any session ticket is sent to the client as part of the TLS
handshake prior to the "finished message", and so before either side has
turned on the ultimately negotiated traffic encryption. In particular
though tickets are internally encrypted by a key known only the server,
the ticket is sent "in the clear". It is possible for an observer to
see the client using the same ticket later, and "link" the resumption
to the initial session.
In TLS 1.3, there was much focus on privacy (and latency, but that's a
separate topic), and linkable tickets were frowned upon. So TLS 1.3
tickets are sent *after* the handshake is complete, and the timing
of ticket transmission is somewhat nuanced (but I digress).
What this means is that the TLS 1.3 handshake may be complete, and the
client sends the EHLO, but the server's response will be not not only
the application data (250-servername ...<CRLF>...), but also the session
tickets marked as additional handshake messages rather than application
data.
So this is where the SMTP server on the MSFT side may be having issues,
its TLS (1.3) and SMTP stacks may not be interacting properly once
non-application data arrives post-handshake. One might have hoped
for better testing...
As for why Debian 12 is doing better, that may have to do with
that "timing" question, and whether the server sends the tickets
immediately the handshake completes, or only when it has some
data to send... This may have changed between OpenSSL versions...
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
