Re: SNI problem

[Ján Máté]

Ups,

the correct

openssl s_client -servername smtp.example.com -starttls smtp -connect 
smtp.example.com:25 <http://smtp.example.com:25/>

output:


CONNECTED(00000003)
140192932344960:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert 
internal error:../ssl/record/rec_layer_s3.c:1544:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 326 bytes and written 726 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---


JM


> On 9 Jun 2020, at 22:36, Ján Máté <jan.m...@uniqsys.eu> wrote:
> 
> Hi Victor,
> 
> yes, I looked at /etc/ssl/openssl.cnf and found nothing related to default or 
> preloaded chain.
> 
> See the result of the debug from strace - only 3 cert related files are 
> opened = the private key, full chain and DH param:
> 
> openat(AT_FDCWD, "pid/inet.smtp", O_RDWR) = 9
> openat(AT_FDCWD, "/etc/aliases.db", O_RDONLY) = 12
> openat(AT_FDCWD, "/sys/devices/system/cpu/online", O_RDONLY|O_CLOEXEC) = 13
> openat(AT_FDCWD, "/etc/DB_CONFIG", O_RDONLY) = -1 ENOENT (No such file or 
> directory)
> openat(AT_FDCWD, "/etc/aliases.db", O_RDONLY) = 13
> openat(AT_FDCWD, "/etc/aliases.db", O_RDONLY) = 14
> openat(AT_FDCWD, "/usr/lib/postfix/postfix-ldap.so", O_RDONLY|O_CLOEXEC) = 12
> openat(AT_FDCWD, "/usr/lib/postfix/libldap_r-2.4.so.2", O_RDONLY|O_CLOEXEC) = 
> -1 ENOENT (No such file or directory)
> openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 12
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libldap_r-2.4.so.2", 
> O_RDONLY|O_CLOEXEC) = 12
> openat(AT_FDCWD, "/usr/lib/postfix/liblber-2.4.so.2", O_RDONLY|O_CLOEXEC) = 
> -1 ENOENT (No such file or directory)
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblber-2.4.so.2", 
> O_RDONLY|O_CLOEXEC) = 12
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgnutls.so.30", O_RDONLY|O_CLOEXEC) 
> = 12
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libp11-kit.so.0", O_RDONLY|O_CLOEXEC) 
> = 12
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 
> 12
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libunistring.so.2", 
> O_RDONLY|O_CLOEXEC) = 12
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libtasn1.so.6", O_RDONLY|O_CLOEXEC) = 
> 12
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnettle.so.6", O_RDONLY|O_CLOEXEC) 
> = 12
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libhogweed.so.4", O_RDONLY|O_CLOEXEC) 
> = 12
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgmp.so.10", O_RDONLY|O_CLOEXEC) = 
> 12
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libffi.so.6", O_RDONLY|O_CLOEXEC) = 12
> openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = 12
> openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 12
> openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 12
> openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2", 
> O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 12
> openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so", 
> O_RDONLY|O_CLOEXEC) = 15
> openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so", 
> O_RDONLY|O_CLOEXEC) = 15
> openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 15
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgssapi_krb5.so.2", 
> O_RDONLY|O_CLOEXEC) = 15
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 
> 15
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libk5crypto.so.3", 
> O_RDONLY|O_CLOEXEC) = 15
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libcom_err.so.2", O_RDONLY|O_CLOEXEC) 
> = 15
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libkrb5support.so.0", 
> O_RDONLY|O_CLOEXEC) = 15
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libkeyutils.so.1", 
> O_RDONLY|O_CLOEXEC) = 15
> openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/libntlm.so", 
> O_RDONLY|O_CLOEXEC) = 15
> openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/libscram.so", 
> O_RDONLY|O_CLOEXEC) = 15
> openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/libsasldb.so", 
> O_RDONLY|O_CLOEXEC) = 15
> openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/libgs2.so", 
> O_RDONLY|O_CLOEXEC) = 15
> openat(AT_FDCWD, "/etc/gss/mech.d", 
> O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 15
> openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so", 
> O_RDONLY|O_CLOEXEC) = 15
> openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so", 
> O_RDONLY|O_CLOEXEC) = 15
> openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/liblogin.so", 
> O_RDONLY|O_CLOEXEC) = 15
> openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 15
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libcrypt.so.1", O_RDONLY|O_CLOEXEC) = 
> 15
> openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2/libplain.so", 
> O_RDONLY|O_CLOEXEC) = 15
> openat(AT_FDCWD, "/etc/ldap/ldap.conf", O_RDONLY) = 12
> openat(AT_FDCWD, "ldaprc", O_RDONLY)    = -1 ENOENT (No such file or 
> directory)
> openat(AT_FDCWD, "/etc/postfix/tables/ldap-virtual_alias_maps", O_RDONLY) = 12
> openat(AT_FDCWD, "/etc/postfix/tables/ldap-virtual_alias_maps-alternate", 
> O_RDONLY) = 12
> openat(AT_FDCWD, "/etc/postfix/tables/ldap-virtual_mailbox_maps", O_RDONLY) = 
> 12
> openat(AT_FDCWD, "/usr/lib/postfix/postfix-pcre.so", O_RDONLY|O_CLOEXEC) = 12
> openat(AT_FDCWD, "/usr/lib/postfix/libpcre.so.3", O_RDONLY|O_CLOEXEC) = -1 
> ENOENT (No such file or directory)
> openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 12
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpcre.so.3", O_RDONLY|O_CLOEXEC) = 
> 12
> openat(AT_FDCWD, "/etc/postfix/tables/pcre-check_helo_access", O_RDONLY) = 12
> openat(AT_FDCWD, "/etc/postfix/sasl/smtpd.conf", O_RDONLY) = 12
> openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/sasl2", 
> O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 12
> openat(AT_FDCWD, "/dev/urandom", O_RDONLY) = 15
> openat(AT_FDCWD, "/etc/postfix/tables/hash-tls_server_sni_maps.db", O_RDONLY) 
> = 12
> openat(AT_FDCWD, "/etc/postfix/tables/DB_CONFIG", O_RDONLY) = -1 ENOENT (No 
> such file or directory)
> openat(AT_FDCWD, "/etc/postfix/tables/hash-tls_server_sni_maps.db", O_RDONLY) 
> = 15
> openat(AT_FDCWD, "/etc/postfix/tables/hash-tls_server_sni_maps.db", O_RDONLY) 
> = 16
> openat(AT_FDCWD, "/usr/lib/ssl/openssl.cnf", O_RDONLY) = 17
> openat(AT_FDCWD, "/etc/letsencrypt/live/smtp.example.com/privkey.pem 
> <http://smtp.example.com/privkey.pem>", O_RDONLY) = 17
> openat(AT_FDCWD, "/etc/letsencrypt/live/smtp.example.com/fullchain.pem 
> <http://smtp.example.com/fullchain.pem>", O_RDONLY) = 17
> openat(AT_FDCWD, "/etc/ssl/local/dh_ffdhe4096.pem", O_RDONLY) = 17
> openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 17
> openat(AT_FDCWD, "/proc/sys/kernel/ngroups_max", O_RDONLY) = 17
> openat(AT_FDCWD, "/etc/group", O_RDONLY|O_CLOEXEC) = 17
> openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 17
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_systemd.so.2", 
> O_RDONLY|O_CLOEXEC) = 17
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/librt.so.1", O_RDONLY|O_CLOEXEC) = 17
> openat(AT_FDCWD, "/run/systemd/userdb/", 
> O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 17
> openat(AT_FDCWD, "/proc/sys/kernel/random/boot_id", 
> O_RDONLY|O_NOCTTY|O_CLOEXEC) = 17
> openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 17
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_sss.so.2", O_RDONLY|O_CLOEXEC) 
> = 17
> openat(AT_FDCWD, "/var/lib/sss/mc/initgroups", O_RDONLY|O_CLOEXEC) = 17
> openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 22
> openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 22
> openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such 
> file or directory)
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/tls/haswell/x86_64/libnss_dns.so.2", 
> O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/tls/haswell/libnss_dns.so.2", 
> O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/tls/x86_64/libnss_dns.so.2", 
> O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/tls/libnss_dns.so.2", 
> O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/haswell/x86_64/libnss_dns.so.2", 
> O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/haswell/libnss_dns.so.2", 
> O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/x86_64/libnss_dns.so.2", 
> O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) 
> = 22
> openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 22
> 
> openssl s_client -servername smtp.example.com <http://smtp.example.com/> 
> -starttls smtp -connect smtp.example.com:25 <http://smtp.example.com:25/>
> Jun  9 22:17:55 example postfix/smtpd[246494]: warning: key at index 1 in SNI 
> data for smtp.example.com <http://smtp.example.com/> does not match next 
> certificate
> Jun  9 22:17:55 example postfix/smtpd[246494]: warning: TLS library problem: 
> error:1426D121:SSL routines:ssl_set_cert_and_key:not replacing 
> certificate:../ssl/ssl_rsa.c:1107:
> Jun  9 22:17:55 example postfix/smtpd[246494]: warning: error loading private 
> keys and certificates from: SNI data for smtp.example.com 
> <http://smtp.example.com/>: aborting TLS handshake
> Jun  9 22:17:55 example postfix/smtpd[246494]: SSL_accept error from 
> ***[93.***.***.***]: -1
> Jun  9 22:17:55 example postfix/smtpd[246494]: warning: TLS library problem: 
> error:1422E0EA:SSL routines:final_server_name:callback 
> failed:../ssl/statem/extensions.c:1007:
> Jun  9 22:17:55 example postfix/smtpd[246494]: lost connection after STARTTLS 
> from ***[93.***.***.***]
> Jun  9 22:17:55 example postfix/smtpd[246494]: disconnect from 
> ***[93.184.***.***] ehlo=1 starttls=0/1 commands=1/2
> 
> server log:
> Jun  9 22:17:55 example postfix/smtpd[246494]: warning: key at index 1 in SNI 
> data for smtp.example.com <http://smtp.example.com/> does not match next 
> certificate
> Jun  9 22:17:55 example postfix/smtpd[246494]: warning: TLS library problem: 
> error:1426D121:SSL routines:ssl_set_cert_and_key:not replacing 
> certificate:../ssl/ssl_rsa.c:1107:
> Jun  9 22:17:55 example postfix/smtpd[246494]: warning: error loading private 
> keys and certificates from: SNI data for smtp.example.com 
> <http://smtp.example.com/>: aborting TLS handshake
> Jun  9 22:17:55 example postfix/smtpd[246494]: SSL_accept error from 
> ***[93.***.***.***]: -1
> Jun  9 22:17:55 example postfix/smtpd[246494]: warning: TLS library problem: 
> error:1422E0EA:SSL routines:final_server_name:callback 
> failed:../ssl/statem/extensions.c:1007:
> 
> 
> Any further ideas?
> 
> 
> Thanks,
> 
> 
> JM