On 12/04/17 17:27, Joel Sing wrote:
> On Monday 04 December 2017 13:19:41 Giovanni Bechis wrote:
>> On 11/10/17 17:46, Joel Sing wrote:
>> [...]
>>
>>> I suspect this is going to be difficult to track down without being able
>>> to see what is on the wire (tcpdump or 'smtpd_tls_loglevel = 3' in
>>> postfix) or being able to reproduce/trigger TLS sessions from the client.
>>
>> postfix log file with 'smtpd_tls_loglevel = 3' attached.
>> Thanks & Cheers
>> Giovanni
>
> Looking at this more closely, it is actually a different problem from the
> originally reported issue (wrong version number):
>
> Dec 4 13:09:30 thor postfix/smtpd[91646]: connect from
> sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42]
> Dec 4 13:09:31 thor postfix/smtpd[91646]: setting up TLS connection from
> sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42]
> Dec 4 13:09:31 thor postfix/smtpd[91646]:
> sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42]: TLS cipher list
> "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:before/accept
> initialization
> ...
> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 read client hello
> B
> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 write server
> hello A
> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 write certificate
> A
> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 write key
> exchange A
> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 write server done
> A
> ...
> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 flush data
> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 read client
> certificate A
> Dec 4 13:09:31 thor postfix/smtpd[91646]: read from 4F66840F900
> [4F6048AA003] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
> Dec 4 13:09:31 thor postfix/smtpd[91646]: read from 4F66840F900
> [4F6048AA003] (5 bytes => 5 (0x5))
> Dec 4 13:09:31 thor postfix/smtpd[91646]: 0000 15 03 03 00 02
> .....
> Dec 4 13:09:31 thor postfix/smtpd[91646]: read from 4F66840F900
> [4F6048AA008] (2 bytes => 2 (0x2))
> Dec 4 13:09:31 thor postfix/smtpd[91646]: 0000 02 2e
> ..
> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL3 alert read:fatal:certificate
> unknown
> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:failed in SSLv3 read
> client key exchange A
> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept error from
> sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42]: 0
> Dec 4 13:09:31 thor postfix/smtpd[91646]: warning: TLS library problem:
> error:14037416:SSL routines:ACCEPT_SR_KEY_EXCH:sslv3 alert certificate
> unknown:/usr/src/lib/libssl/ssl_pkt.c:1205:SSL alert number 46:
> Dec 4 13:09:31 thor postfix/smtpd[91646]: lost connection after STARTTLS
> from sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42]
> Dec 4 13:09:31 thor postfix/smtpd[91646]: disconnect from
> sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42] ehlo=1 starttls=0/1
> commands=1/2
>
> In this case the client hello has been received and the server
> hello/certificate/key exchange/done has been sent, before the other side
> responds with a "certificate unknown" alert - this suggests that the TLS
> client is actually expecting to do some form of certificate verification
> and this is failing.
>
I have both problems on my logs.
> Was this working prior to OpenBSD 6.2?
>
yep, it started failing after 6.2 upgrade.
Anyway I will rebuild libssl and come back soon.
Cheers
Giovanni
