On 12/04/17 17:39, Giovanni Bechis wrote: > On 12/04/17 17:27, Joel Sing wrote: >> On Monday 04 December 2017 13:19:41 Giovanni Bechis wrote: >>> On 11/10/17 17:46, Joel Sing wrote: >>> [...] >>> >>>> I suspect this is going to be difficult to track down without being able >>>> to see what is on the wire (tcpdump or 'smtpd_tls_loglevel = 3' in >>>> postfix) or being able to reproduce/trigger TLS sessions from the client. >>> >>> postfix log file with 'smtpd_tls_loglevel = 3' attached. >>> Thanks & Cheers >>> Giovanni >> >> Looking at this more closely, it is actually a different problem from the >> originally reported issue (wrong version number): >> >> Dec 4 13:09:30 thor postfix/smtpd[91646]: connect from >> sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42] >> Dec 4 13:09:31 thor postfix/smtpd[91646]: setting up TLS connection from >> sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42] >> Dec 4 13:09:31 thor postfix/smtpd[91646]: >> sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42]: TLS cipher list >> "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH" >> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:before/accept >> initialization >> ... >> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 read client >> hello B >> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 write server >> hello A >> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 write >> certificate A >> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 write key >> exchange A >> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 write server >> done A >> ... >> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 flush data >> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 read client >> certificate A >> Dec 4 13:09:31 thor postfix/smtpd[91646]: read from 4F66840F900 >> [4F6048AA003] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF)) >> Dec 4 13:09:31 thor postfix/smtpd[91646]: read from 4F66840F900 >> [4F6048AA003] (5 bytes => 5 (0x5)) >> Dec 4 13:09:31 thor postfix/smtpd[91646]: 0000 15 03 03 00 02 >> ..... >> Dec 4 13:09:31 thor postfix/smtpd[91646]: read from 4F66840F900 >> [4F6048AA008] (2 bytes => 2 (0x2)) >> Dec 4 13:09:31 thor postfix/smtpd[91646]: 0000 02 2e >> .. >> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL3 alert read:fatal:certificate >> unknown >> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:failed in SSLv3 read >> client key exchange A >> Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept error from >> sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42]: 0 >> Dec 4 13:09:31 thor postfix/smtpd[91646]: warning: TLS library problem: >> error:14037416:SSL routines:ACCEPT_SR_KEY_EXCH:sslv3 alert certificate >> unknown:/usr/src/lib/libssl/ssl_pkt.c:1205:SSL alert number 46: >> Dec 4 13:09:31 thor postfix/smtpd[91646]: lost connection after STARTTLS >> from sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42] >> Dec 4 13:09:31 thor postfix/smtpd[91646]: disconnect from >> sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42] ehlo=1 starttls=0/1 >> commands=1/2 >> >> In this case the client hello has been received and the server >> hello/certificate/key exchange/done has been sent, before the other side >> responds with a "certificate unknown" alert - this suggests that the TLS >> client is actually expecting to do some form of certificate verification >> and this is failing. >> > I have both problems on my logs. > first problem seems fixed with your patch, "certificate unknown" still exists.
>> Was this working prior to OpenBSD 6.2? >> > yep, it started failing after 6.2 upgrade. > Anyway I will rebuild libssl and come back soon. > Cheers > Giovanni >
