Viktor Dukhovni:
> On Sat, Apr 23, 2022 at 09:02:09PM -0400, Wietse Venema wrote:
>
> > The PREGREET logging for those eight craashing sessions shows that
> > this client 1.2.3.4 was changing its TLS record version from 0x0303
> > (\003\003) to 0x0302 (\003\002) to 0x0301 (\003\001).
> >
> > Mar 28 01:33:22 <mail.info> mail.lan postfix/postscreen[7179]: PREGREET 426
> > after 0 from [1.2.3.4]:33288: \026\003\003\001\245\001\000...
> > Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7186]: PREGREET 426
> > after 0 from [1.2.3.4]:33850: \026\003\003\001\245\001\000...
> > Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7187]: PREGREET 347
> > after 0 from [1.2.3.4]:34124: \026\003\003\001V\001\000...
> > Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7188]: PREGREET 333
> > after 0 from [1.2.3.4]:34386: \026\003\003\001H\001\000...
> > Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7189]: PREGREET 414
> > after 0.05 from [1.2.3.4]:34506: \026\003\003\001\231\001\000...
> > Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7190]: PREGREET 415
> > after 0 from [1.2.3.4]:34644: \026\003\002\001\232\001\000...
> > Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7191]: PREGREET 428
> > after 0.02 from [1.2.3.4]:34772: \026\003\001\001\247\001\000...
> > Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7192]: PREGREET 428
> > after 0 from [1.2.3.4]:34874: \026\003\001\001\247\001\000...
> > Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7193]: PREGREET 418
> > after 0 from [1.2.3.4]:34980: \026\003\001\001\235\001\000...
> > Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7194]: PREGREET 441
> > after 0 from [1.2.3.4]:35048: \026\003\001\001\264\001\000...
> >
> > I find it hard to believe that one client changes its TLS implementation
> > within a two-second time interval (assuming the time stamps are real).
>
> One sort of client that would do that would be some sort of protocol
> audit tool. A full packet dump (PCAP file with untruncated packets)
> would be useful here IMHO.
>
> But one might also imagine a client that tries version downgrade on
> handshake failure.
>
> Also the non-crashing PREGREET logging shows much shorter TLS client
> HELLO packets (~100 vs. ~400 bytes). So definitely a different client
> behaviour.
It would be invaluable to have a recording of a complete session
with that system. Something like:
tcpdump -i name-of-interface is 2000 -w /file/name host 1.2.3.4
Capture at least one session that has a TLS hello packet of over
400 bytes (pregreet size). It would be good to have Postfix logging
for that session, but we might be able to do without.
Wietse
