Follow-up: do not test with new tools. So, as a few folks pointed me off-list rightly to it.. but my brain did not click to this old issue... it is all because of the short key.
I think it was discussed on swinog before, but I'll add it again, as I found the ticket where I reminded myself about it but that was from July 2019... Due to the logjam attack OpenSSL (especially on Debian) disabled DH keys <= 1024 bytes. https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://lists.debian.org/debian-lts-announce/2015/06/msg00013.html 8<---- Additionally OpenSSL will now reject handshakes using DH parameters shorter than 768 bits as a countermeasure against the Logjam attack (CVE-2015-4000). ------>8 (Yes, it is 2021 today, that is from 2015....) Thus if you want to test if that server works, disabling DH avoids it: openssl s_client -cipher 'DEFAULT:!DH' -connect smtpauths.bluewin.ch:587 -starttls smtp So reminder, if you properly run new tools, you might have to work around servers that are still in planning of upgrading. And in the end the origin of the issue was a DNS issue caused by a route reflection issue causing a variety of routes not to be available and yes, then things do not work as excepted... it is always DNS, except when it is IP :) PS: This seems unrelated to the IPv6 issue with the F5, even though it appears both systems run behind an F5. Greets, Jeroen -- Sidenote, without directly doing the starttls, your connection will be dropped too: $ openssl s_client -cipher 'DEFAULT:!DH' -connect smtpauths.bluewin.ch:587 CONNECTED(00000003) 140142292489536:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 298 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- With starttls it will work..... timing is key too... $ openssl s_client -cipher 'DEFAULT:!DH' -connect smtpauths.bluewin.ch:587 -starttls smtp CONNECTED(00000003) depth=2 C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 verify return:1 depth=1 C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22 verify return:1 depth=0 C = CH, ST = Bern, L = Worblaufen, O = Swisscom (Schweiz) AG, OU = IT, CN = smtpauths.bluewin.ch verify return:1 --- Certificate chain 0 s:C = CH, ST = Bern, L = Worblaufen, O = Swisscom (Schweiz) AG, OU = IT, CN = smtpauths.bluewin.ch i:C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22 1 s:C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22 i:C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 --- Server certificate -----BEGIN CERTIFICATE----- MIIH2jCCBsKgAwIBAgIUGEfAQSLKDtSxeCCekVh0nFmkCOEwDQYJKoZIhvcNAQEL BQAwUjELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEsMCoGA1UE AxMjU3dpc3NTaWduIFNlcnZlciBHb2xkIENBIDIwMTQgLSBHMjIwHhcNMTkwODA4 MDg0NDAxWhcNMjEwODA4MDg0NDAxWjB9MQswCQYDVQQGEwJDSDENMAsGA1UECBME QmVybjETMBEGA1UEBxMKV29yYmxhdWZlbjEeMBwGA1UEChMVU3dpc3Njb20gKFNj aHdlaXopIEFHMQswCQYDVQQLEwJJVDEdMBsGA1UEAxMUc210cGF1dGhzLmJsdWV3 aW4uY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJuFh6Yc/73bmW Lyedte6kZQ56Q5XGsaKFtZmXWZXqYFmlPrlZ/vKYpTT712DCwOklcpd7/CrjPFwN OhVL1aAsfr5UwfrBfFtE0pRsiUl/o3I/6NyfU1FobEVO8xnBhDKaOQOJlwZwndyR GQLz6I1wsddJeh/puh4KvIl3vHq0ge8igZFTG2MuXIsayPUOWpdrbLuvebiaDfMw FuJCtgkiSfhi9wRDLVkmXJF+q9+n/6FdJcr8+SgF+oiz2koXhSt/dVjrfrz+rL9/ 5dZz9h8JT6X/sLG56SyVpOV4Mmzgq72afizutwtGHobygMqYyusW5GfwZJPqX+cb BhiBmvNFAgMBAAGjggR7MIIEdzA4BgNVHREEMTAvghRzbXRwYXV0aHMuYmx1ZXdp bi5jaIIXc210cGF1dGhzLmxiLmJsdWV3aW4uY2gwDgYDVR0PAQH/BAQDAgWgMB0G A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQURQnYL5/oRqKp p2+CnXirj1TyDCMwHwYDVR0jBBgwFoAU5/Hn/S5TrRHlgRpXpHOPEn2YyK4wgf8G A1UdHwSB9zCB9DBHoEWgQ4ZBaHR0cDovL2NybC5zd2lzc3NpZ24ubmV0L0U3RjFF N0ZEMkU1M0FEMTFFNTgxMUE1N0E0NzM4RjEyN0Q5OEM4QUUwgaiggaWggaKGgZ9s ZGFwOi8vZGlyZWN0b3J5LnN3aXNzc2lnbi5uZXQvQ049RTdGMUU3RkQyRTUzQUQx MUU1ODExQTU3QTQ3MzhGMTI3RDk4QzhBRSUyQ089U3dpc3NTaWduJTJDQz1DSD9j ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz dHJpYnV0aW9uUG9pbnQwcwYDVR0gBGwwajBUBglghXQBWQECAQswRzBFBggrBgEF BQcCARY5aHR0cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS9Td2lzc1NpZ24t R29sZC1DUC1DUFMucGRmMAgGBgQAj3oBBzAIBgZngQwBAgIwgdUGCCsGAQUFBwEB BIHIMIHFMGQGCCsGAQUFBzAChlhodHRwOi8vc3dpc3NzaWduLm5ldC9jZ2ktYmlu L2F1dGhvcml0eS9kb3dubG9hZC9FN0YxRTdGRDJFNTNBRDExRTU4MTFBNTdBNDcz OEYxMjdEOThDOEFFMF0GCCsGAQUFBzABhlFodHRwOi8vZ29sZC1zZXJ2ZXItZzIu b2NzcC5zd2lzc3NpZ24ubmV0L0U3RjFFN0ZEMkU1M0FEMTFFNTgxMUE1N0E0NzM4 RjEyN0Q5OEM4QUUwggF7BgorBgEEAdZ5AgQCBIIBawSCAWcBZQB1AESUZS6w7s6v xEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAABbHBmPNYAAAQDAEYwRAIgCvjTT2sR PgoaHtOiCqmh1oERGFsdlSEy01a/da2WgxQCIAXM1dSNyXhiWTLGGKlg7fYjsVEx Ed/WM6NYSh0AJPK+AHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMA AAFscGY9CQAABAMARzBFAiBgWjl7D2nTcHPMOY8UVM0qvV9vG1Oqrf8J1zBrJuvw kwIhAOtIKQQSbapV8Aw8q3+E5iLYYSMQdPXHUhDHueBebXygAHQA7ku9t3XOYLrh Qmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFscGY7sgAABAMARTBDAh9koSaw1fr6 ZrNJsVN2+v2+2QQ9VkMU4KJSQEfedRUbAiBY6V8yU93utvDWtrGnSck9X6aV9M7q WhrZz7q9dQr5QzANBgkqhkiG9w0BAQsFAAOCAQEAdYPLeU/e7ugYfozqShEja1IT LOrJ+FGQ6NNIYoRtilYX79tr+vpieN+P3q0W7M5Y9XEOpLWjuFWe/Ea67j2N4ixa ZrTFNpw3gHHHJmYnARvKqZpKtC32MAj+NPWDLxy1e8+zcMw0YweZHc6506LPgioo X6d5IXWcStolqJBWnbYs1KQdgH8sbWLyhHJ9kCedX39vwQE/N+cBvharzwccjedv crxeTX/NNjicD6YqobSiehIv+xI8QUWHr8lzPQmFFFBWl01mNJFM3aPs5bZCI+bM bc1zPKsXNIeDuRJAqBtVCMoOUu6sRjobwEwL5QGWfuQjaHe7zXLSXk1HV6Zztg== -----END CERTIFICATE----- subject=C = CH, ST = Bern, L = Worblaufen, O = Swisscom (Schweiz) AG, OU = IT, CN = smtpauths.bluewin.ch issuer=C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22 --- No client certificate CA names sent --- SSL handshake has read 4203 bytes and written 649 bytes Verification: OK --- New, TLSv1.2, Cipher is AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : AES256-GCM-SHA384 Session-ID: 841356BCF8F6EA40AC1A15F7A37FD208D2E75A7FC535E7708360C4F5F08FA299 Session-ID-ctx: Master-Key: 370027791AB4632F97E331F68C3B4666EA51194E164A9E4D9003316636F37A2FEAFF7203CD9A880BEE6EBBBF7AB9D1DE PSK identity: None PSK identity hint: None SRP username: None Start Time: 1615478122 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- 250 STARTTLS _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
