Re: openssl update 1.0.1f to 1.0.1g broke sendmail (SSL23_GET_SERVER_HELLO:tlsv1 alert decode error)

[Alan Buxey]

It seams that there is another difference between the two openssl 
versions then only the heartbleed bugfix.

err, yes. The g release is a new minor release.  I'd ALWAYS advise reading the 
changelog before deploying. .. You'd then have seen the new features (this is 
why vendors such as redhat are just back porting the fix rather than pushing 
1.0.1g to RH6.5 usersfor example)

alan

Re: openssl update 1.0.1f to 1.0.1g broke sendmail (SSL23_GET_SERVER_HELLO:tlsv1 alert decode error)

[Viktor Dukhovni]

On Thu, Apr 10, 2014 at 06:39:21PM +0200, Dominik Mahrer (Teddy) wrote:

[ The subject is a bit dramatic, Sendmail did not break, rather you're
  experiencing interop issues with one site. ]

 Two days ago I updated openssl 1.0.1f to 1.0.1g. Everything seamed to be
 fine. But after a while an error popped up in sendmail log:
 
 Apr 10 10:13:45 mail sendmail[17568]: STARTTLS=client, error: connect
 failed=-1, reason=tlsv1 alert decode error, SSL_error=1, errno=0, retry=-1

The remote server sent a TLSv1 alert (50) decode error.  My best guess is
that the server in question has a problem with the TLS padding extension:

commit 51624dbdaed5325ac763e63dc5eb0b3ef85d6489
Author: Dr. Stephen Henson st...@openssl.org
Date:   Sat Apr 5 20:43:54 2014 +0100

Set TLS padding extension value.

Enable TLS padding extension using official value from:

http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-v
(cherry picked from commit cd6bd5ffda616822b52104fee0c4c7d623fd4f53)

This extension deals works around interoperability issues with F5
load balancers.  Perhaps it introduces an interoperability issue
with Ironport appliances.  Can you post the IP address of the target
system?  Have you tried connecting with SSLv3 (disable TLSv1,
TLSv1.1 and TLSv1.2)?   You can test with

$ openssl s_client -starttls smtp -ssl3 -connect host:25

 The mail has not been delivered. Then I downgraded to 1.0.1f and the mail
 has been sent with:
 
 Apr 10 10:17:31 mail sendmail[31809]: STARTTLS=client,
 relay=mail.example.com., version=TLSv1/SSLv3, verify=FAIL,
 cipher=DHE-RSA-AES256-SHA, bits=256/256

The padding extension is not available in 1.0.1f.

 Then I tried on both versions:
 
 openssl s_client -starttls smtp -connect mail.example.com:25

Try ssl3.

 depth=0 C = US, ST = California, L = San Bruno, O = IronPort Systems,
 Inc., CN = IronPort Appliance Demo Certificate

That's sad.  The people should leave the Demo certificate in
place, still we learn its an Ironport.  I would contact Cisco and
see whether they can help to isolate the issue.  (I added a Cisco
Ironport engineer to the Bcc, perhaps he'll respond).

 Is there a way how I can handle such certificates with openssl 1.0.1g?
 mail.example.com is one of several communication-partners which I have
 problems with.

The problem is unrelated to the demo certificate.

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl update 1.0.1f to 1.0.1g broke sendmail (SSL23_GET_SERVER_HELLO:tlsv1 alert decode error)

[Dominik Mahrer (Teddy)]

Thanks Viktor

OK, I googled about IronPort-Systems (one can never learn enough).

The output requested:

 openssl s_client -starttls smtp -ssl3 -connect migze121.migros.ch:25
CONNECTED(0003)
depth=0 C = US, ST = California, L = San Bruno, O = IronPort Systems, 
Inc., CN = IronPort Appliance Demo Certificate

verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = San Bruno, O = IronPort Systems, 
Inc., CN = IronPort Appliance Demo Certificate

verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=San Bruno/O=IronPort Systems, 
Inc./CN=IronPort Appliance Demo Certificate
   i:/C=US/ST=California/L=San Bruno/O=IronPort Systems, 
Inc./CN=IronPort Appliance Demo Certificate

---
Server certificate
-BEGIN CERTIFICATE-
MIIDfTCCAuagAwIBAgIBATANBgkqhkiG9w0BAQQFADCBhTELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVNhbiBCcnVubzEfMB0GA1UE
ChMWSXJvblBvcnQgU3lzdGVtcywgSW5jLjEsMCoGA1UEAxMjSXJvblBvcnQgQXBw
bGlhbmNlIERlbW8gQ2VydGlmaWNhdGUwHhcNMDYwNTAxMjI1NzU4WhcNMTYwNTAx
MjI1NzU4WjCBhTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQ
BgNVBAcTCVNhbiBCcnVubzEfMB0GA1UEChMWSXJvblBvcnQgU3lzdGVtcywgSW5j
LjEsMCoGA1UEAxMjSXJvblBvcnQgQXBwbGlhbmNlIERlbW8gQ2VydGlmaWNhdGUw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALebxVos+JhWxNgAHKNZ7jtrtgsK
dx94/76c/316FW5nS2Y1M6ZvhOE2rblbs9riDcPMkiDrt6Cdd/GU4WdGYoG/SWxr
+0FqAiGLqyo45xUSmwg/hE/+LX3v1XM/bW0+SPUsyiXCFObafOFieHkaV+Rj9f3r
6f62Xsx6AlGyKQfjAgMBAAGjgfowgfcwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0E
HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNeVBunw
o9Zl9hGQvMJMuuY0qg7IMIGcBgNVHSMEgZQwgZGhgYukgYgwgYUxCzAJBgNVBAYT
AlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTYW4gQnJ1bm8xHzAd
BgNVBAoTFklyb25Qb3J0IFN5c3RlbXMsIEluYy4xLDAqBgNVBAMTI0lyb25Qb3J0
IEFwcGxpYW5jZSBEZW1vIENlcnRpZmljYXRlggEAMA0GCSqGSIb3DQEBBAUAA4GB
AKtUIDqKx1BnIB0cqRNcU4sPsy1gUhp2ieynoep2LEILGEiYTb08hmyvDUFzBn+P
Unv/RfHrD8XX4w/4ptV6e+jzwlqf63JBG3JZ4dGCp/jEX//SJtevmenctZRD4hyI
ATAp5F6VvERCk7YfvFRmPUua15wLUyDMFFdr46IUMrxg
-END CERTIFICATE-
subject=/C=US/ST=California/L=San Bruno/O=IronPort Systems, 
Inc./CN=IronPort Appliance Demo Certificate
issuer=/C=US/ST=California/L=San Bruno/O=IronPort Systems, 
Inc./CN=IronPort Appliance Demo Certificate

---
No client certificate CA names sent
---
SSL handshake has read 1608 bytes and written 401 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : SSLv3
Cipher: DHE-RSA-AES256-SHA
Session-ID: 
1CA7A0A5E2ED635DD10979AD459226068FF329E73F4E2F4C047AAFD938922187

Session-ID-ctx:
Master-Key: 
7B08A032113DD2E3F316E04B86B5F96F6D1081696F505784A8C3214B7C3EC58998F58978E6AB108B2AD25AD2530F577B

Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1397153971
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
250 STARTTLS




Another Domain with the same problem:
mx02.jhcn.net

 Enable TLS padding extension using official value from:

 
http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-v

 (cherry picked from commit cd6bd5ffda616822b52104fee0c4c7d623fd4f53)


I did not understand what you mean. I think 1.0.1g has enabled TLS 
padding extension by default?



For the moment I have fixed my problems by adding the heartbleed-fix to 
version 1.0.1f and took this into production. But I would like to 
understand the problem with TLS padding anyway.


Thanks



Mit freundlichen Grüssen
Dominik Mahrer

Dipl. Ing. Informatik FH/STV

Teddy Engineering GmbH http://www.teddy.ch/
Lettenmattstrasse 5mailto:te...@teddy.ch
8903 Birmensdorf ZH076 383 80 60


Am 10.04.2014 19:00, schrieb Viktor Dukhovni:

On Thu, Apr 10, 2014 at 06:39:21PM +0200, Dominik Mahrer (Teddy) wrote:

[ The subject is a bit dramatic, Sendmail did not break, rather you're
   experiencing interop issues with one site. ]


Two days ago I updated openssl 1.0.1f to 1.0.1g. Everything seamed to be
fine. But after a while an error popped up in sendmail log:

Apr 10 10:13:45 mail sendmail[17568]: STARTTLS=client, error: connect
failed=-1, reason=tlsv1 alert decode error, SSL_error=1, errno=0, retry=-1


The remote server sent a TLSv1 alert (50) decode error.  My best guess is
that the server in question has a problem with the TLS padding extension:

 commit 51624dbdaed5325ac763e63dc5eb0b3ef85d6489
 Author: Dr. Stephen Henson st...@openssl.org
 Date:   Sat Apr 5 20:43:54 2014 +0100

 Set TLS padding extension value.

 Enable TLS padding extension using official value from:

 
http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-v
 (cherry picked from commit cd6bd5ffda616822b52104fee0c4c7d623fd4f53)

This extension deals works around interoperability issues 

Re: openssl update 1.0.1f to 1.0.1g broke sendmail (SSL23_GET_SERVER_HELLO:tlsv1 alert decode error)

[Viktor Dukhovni]

On Thu, Apr 10, 2014 at 09:58:47PM +0200, Dominik Mahrer (Teddy) wrote:

  openssl s_client -starttls smtp -ssl3 -connect migze121.migros.ch:25
 New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
 Server public key is 1024 bit
 Secure Renegotiation IS supported
 Compression: NONE
 Expansion: NONE
 SSL-Session:
 Protocol  : SSLv3
 Cipher: DHE-RSA-AES256-SHA

As expected, this works because SSLv3 sends no extensions.

 Another Domain with the same problem: mx02.jhcn.net

Thanks, I'll also test these with Postfix.

  Enable TLS padding extension using official value from:

  http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-v
  (cherry picked from commit cd6bd5ffda616822b52104fee0c4c7d623fd4f53)
 
 I did not understand what you mean. I think 1.0.1g has enabled TLS padding
 extension by default?

Yes, 1.0.1g enables the padding extension by default, to work-around
common problems with F5 load-balancers that confuse SSLv3 Client
HELLO that are 256--511 bytes in length with SSLv2 HELLO.  This
solves a problem, but appears to introduce a new problem with the
ironports in question.

 For the moment I have fixed my problems by adding the heartbleed-fix to
 version 1.0.1f and took this into production. But I would like to understand
 the problem with TLS padding anyway.

The IETF TLS WG mailing list has a post from an F5 engineer from
some time in late 2013 IIRC that explained the F5 issue, and lead
to the padding extension being introduced.  It is enabled unconditionally
in OpenSSL 1.0.1g:

-- 
Viktor.

commit 4a55631e4dc76fb8d668218bf461c45a9abc5b94
Author: Dr. Stephen Henson st...@openssl.org
Date:   Fri Dec 13 14:41:32 2013 +

Backport TLS padding extension from master.
(cherry picked from commit 8c6d8c2a498146992123ef5407d7ba01a1e7224d)

Conflicts:

CHANGES
ssl/t1_lib.c

diff --git a/CHANGES b/CHANGES
index f6fabf9..58ac884 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,24 @@
 
  Changes between 1.0.1f and 1.0.1g [xx XXX ]
 
-  *)
+  *) TLS pad extension: draft-agl-tls-padding-02
+
+ Workaround for the TLS hang bug (see FAQ and PR#2771): if the
+ TLS client Hello record length value would otherwise be  255 and
+ less that 512 pad with a dummy extension containing zeroes so it
+ is at least 512 bytes long.
+
+ To enable it use an unused extension number (for example chrome uses
+ 35655) using:
+
+ e.g. -DTLSEXT_TYPE_padding=35655
+
+ Since the extension is ignored the actual number doesn't matter as long
+ as it doesn't clash with any existing extension.
+
+ This will be updated when the extension gets an official number.
+
+ [Adam Langley, Steve Henson]
 
  Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
 
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index e22ebbf..29ccd83 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -662,6 +662,36 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned 
char *p, unsigned cha
 }
 #endif
 
+#ifdef TLSEXT_TYPE_padding
+   /* Add padding to workaround bugs in F5 terminators.
+* See https://tools.ietf.org/html/draft-agl-tls-padding-02
+*
+* NB: because this code works out the length of all existing
+* extensions it MUST always appear last.
+*/
+   {
+   int hlen = ret - (unsigned char *)s-init_buf-data;
+   /* The code in s23_clnt.c to build ClientHello messages includes the
+* 5-byte record header in the buffer, while the code in s3_clnt.c does
+* not. */
+   if (s-state == SSL23_ST_CW_CLNT_HELLO_A)
+   hlen -= 5;
+   if (hlen  0xff  hlen  0x200)
+   {
+   hlen = 0x200 - hlen;
+   if (hlen = 4)
+   hlen -= 4;
+   else
+   hlen = 0;
+
+   s2n(TLSEXT_TYPE_padding, ret);
+   s2n(hlen, ret);
+   memset(ret, 0, hlen);
+   ret += hlen;
+   }
+   }
+#endif
+
if ((extdatalen = ret-p-2)== 0) 
return p;
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl update 1.0.1f to 1.0.1g broke sendmail (SSL23_GET_SERVER_HELLO:tlsv1 alert decode error)

[Viktor Dukhovni]

On Thu, Apr 10, 2014 at 08:24:33PM +, Viktor Dukhovni wrote:

   openssl s_client -starttls smtp -ssl3 -connect migze121.migros.ch:25
  Protocol  : SSLv3
  Cipher: DHE-RSA-AES256-SHA
 
 As expected, this works because SSLv3 sends no extensions.

When I test with Postfix and 1.0.1g and the full set of TLSv1.2
cipher-suites the client HELLO length exceeds 256 bytes and the
padding extension kicks in, this triggers the decode alert from
migros.ch:

 220 migze121.migros.ch ESMTP
 EHLO amnesiac.local
 250-migze121.migros.ch
 250-8BITMIME
 250-SIZE 47185920
 250 STARTTLS
 STARTTLS
 220 Go ahead with TLS
SSL_connect:before/connect initialization
write to 01F36460 [01F623E0] (517 bytes = 517 (0x205))
SSL_connect:SSLv2/v3 write client hello A
read from 01F36460 [01F67940] (7 bytes = 7 (0x7))
 15 03 01 00 02 02 32 ..2
SSL3 alert read:fatal:decode error
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect error to migze121.migros.ch[146.67.146.31]:25: -1
warning: TLS library problem: error:1407741A:SSL routines:
SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:762:

  Another Domain with the same problem: mx02.jhcn.net
 
 Thanks, I'll also test these with Postfix.

When I truncate the cipherlist to HIGH+AES:@STRENGTH, the client
HELLO is short enough to not trigger padding and the connection
succeeds:

 220 migze121.migros.ch ESMTP
 EHLO amnesiac.local
 250-migze121.migros.ch
 250-8BITMIME
 250-SIZE 47185920
 250 STARTTLS
 STARTTLS
 220 Go ahead with TLS
SSL_connect:before/connect initialization
write to 01D69130 [01D78170] (253 bytes = 253 (0xFD))
SSL_connect:SSLv2/v3 write client hello A
read from 01D69130 [01D7D6D0] (7 bytes = 7 (0x7))
 16 03 01 00 35 025.
read from 01D69130 [01D7D6DA] (51 bytes = 51 (0x33))
SSL_connect:SSLv3 read server hello A
read from 01D69130 [01D7D6D3] (5 bytes = 5 (0x5))
 16 03 01 03 8b   .
read from 01D69130 [01D7D6D8] (907 bytes = 907 (0x38B))
SSL_connect:SSLv3 read server certificate A
read from 01D69130 [01D7D6D3] (5 bytes = 5 (0x5))
read from 01D69130 [01D7D6D8] (397 bytes = 397 (0x18D))
SSL_connect:SSLv3 read server key exchange A
read from 01D69130 [01D7D6D3] (5 bytes = 5 (0x5))
read from 01D69130 [01D7D6D8] (4 bytes = 4 (0x4))
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
write to 01D69130 [01D8B090] (198 bytes = 198 (0xC6))
SSL_connect:SSLv3 flush data
read from 01D69130 [01D7D6D3] (5 bytes = 5 (0x5))
read from 01D69130 [01D7D6D8] (202 bytes = 202 (0xCA))
SSL_connect:SSLv3 read server session ticket A
read from 01D69130 [01D7D6D3] (5 bytes = 5 (0x5))
read from 01D69130 [01D7D6D8] (1 bytes = 1 (0x1))
read from 01D69130 [01D7D6D3] (5 bytes = 5 (0x5))
read from 01D69130 [01D7D6D8] (48 bytes = 48 (0x30))
SSL_connect:SSLv3 read finished A
Untrusted TLS connection established to 
migze121.migros.ch[146.67.146.31]:25: TLSv1 with cipher DHE-RSA-AES256-SHA 
(256/256 bits)

So it seems that the F5 work-around breaks interoperability with
some Ironport systems...  Ironport and F5 need to fight it out to
see who can fix their customer's appliances sooner to not require
the extension.  The extension may need an SSL_OP_... control bit
that applications can use to disable it.

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Openssl update

[Jeremy Farrell]

Read the file called README.

 

Regards,

   jjf

 

From: Harris, Steve D [mailto:steved.har...@fda.hhs.gov] 
Sent: Tuesday, July 09, 2013 3:26 PM
To: openssl-users@openssl.org
Subject: Openssl update

 

How do you install openssl on AIX

 

I have downloaded the latest 

I have unzip the file

And tar command 

I have a directory with the data

What do I do next

 

Steve