NetBSD Problem Report #45639

From rhialto@falu.nl  Mon Nov 21 19:56:52 2011
Return-Path: <rhialto@falu.nl>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 0CE2463CD43
	for <gnats-bugs@gnats.NetBSD.org>; Mon, 21 Nov 2011 19:56:52 +0000 (UTC)
Message-Id: <201111211956.pALJuk2E011131@radl.falu.nl>
Date: Mon, 21 Nov 2011 20:56:46 +0100 (CET)
From: rhialto@falu.nl
Reply-To: rhialto@falu.nl
To: gnats-bugs@gnats.NetBSD.org
Cc: rhialto@falu.nl
Subject: STARTTLS fails sometimes with builtin OpenSSL
X-Send-Pr-Version: 3.95

>Number:         45639
>Category:       bin
>Synopsis:       STARTTLS fails sometimes with builtin OpenSSL
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Nov 21 20:00:09 +0000 2011
>Closed-Date:    Wed Nov 13 21:30:08 +0000 2019
>Last-Modified:  Wed Nov 13 21:30:08 +0000 2019
>Originator:     Rhialto
>Release:        NetBSD 5.1
>Organization:

>Environment:


System: NetBSD radl.falu.nl 5.1 NetBSD 5.1 (Radl-s_Pervasion_of_the_Incorrect_Chord) #0: Mon Jan 24 20:25:13 CET 2011 root@vargaz.falu.nl:/usr/src/sys/arch/amd64/compile/RADL5.1 amd64
Architecture: x86_64
Machine: amd64
>Description:
	I had some mail to a mailbox @tele2.nl. Last weekend they did
	some work on their mail server, and since then, my sendmail
	(from pkgsrc-2011Q3) fails when it tries the STARTTLS command.

$ sudo sendmail -v -q

Running /var/spool/mqueue/pALFphxl017089 (sequence 1 of 1)
<khrjhdsrjkhsdjkf@tele2.nl>... Connecting to smtp.tele2.nl. via esmtp...
220 mailfe06.swip.net ESMTP 5.4.2
>>> EHLO smtp.falu.nl
250-mailfe06.swip.net is pleased to meet you
250-DSN
250-SIZE 314572800
250-STARTTLS
250-AUTH LOGIN PLAIN
250-ETRN
250-TURN
250-ATRN
250-NO-SOLICITING
250-8BITMIME
250-HELP
250-PIPELINING
250 EHLO
>>> STARTTLS
220 please start a TLS connection
<khrjhdsrjkhsdjkf@tele2.nl>... Deferred: 403 4.7.0 TLS handshake failed.
Closing connection to smtp.tele2.nl.
$ 

The mail log file gives a little bit more detail:

Nov 21 16:57:47 radl sendmail[6980]: STARTTLS=client, error: connect failed=-1, SSL_error=1, errno=0, retry=-1
Nov 21 16:57:47 radl sendmail[6980]: STARTTLS=client: 6980:error:14092073:SSL routines:SSL3_GET_SERVER_HELLO:bad packet length:/home/builds/ab/netbsd-5-1-RELEASE/src/crypto/dist/openssl/ssl/s3_clnt.c:906:
Nov 21 16:57:47 radl sendmail[6980]: ruleset=tls_server, arg1=SOFTWARE, relay=smtp.tele2.nl, reject=403 4.7.0 TLS handshake failed.
Nov 21 16:57:47 radl sendmail[6980]: pALFphxl017089: to=<khrjhdsrjkhsdjkf@tele2.nl>, ctladdr=<rhialto@radl.falu.nl> (1000/1000), delay=00:06:04, xdelay=00:00:03, mailer=esmtp, pri=570349, relay=smtp.tele2.nl. [212.247.156.14], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed.

According to the 2nd line, apparently the NetBSD base system SSL library
thinks something is wrong with the data it receives. I don't think I've
seen this before but of course it might be a bug in this version of
OpenSSL that simply wasn't triggered before.

Indeed, when I re-compile sendmail using OpenSSL from pkgsrc (I added
"PREFER.openssl=pkgsrc" to its options.mk file), the above scenario went
fine:

Nov 21 20:39:46 radl sm-mta[17675]: STARTTLS=client, relay=smtp.tele2.nl., versi
on=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Nov 21 20:39:48 radl sm-mta[17675]: pALJdhjB026543: to=<kssdkfjdhfjkhfkhkhlsdajk
h@tele2.nl>, ctladdr=<rhialto@radl.falu.nl> (1000/1000), delay=00:00:05, xdelay=
00:00:05, mailer=esmtp, pri=30367, relay=smtp.tele2.nl. [212.247.156.14], dsn=5.
1.1, stat=User unknown
Nov 21 20:39:50 radl sm-mta[17675]: pALJdhjB026543: pALJdojB017675: DSN: User un
known
Nov 21 20:39:50 radl sm-mta[17675]: pALJdojB017675: to=<rhialto@radl.falu.nl>, d
elay=00:00:00, xdelay=00:00:00, mailer=local, pri=31529, dsn=2.0.0, stat=Sent



>How-To-Repeat:
	Send mail to somebody@tele2.nl, using STARTTLS, with sendmail
	compiled with the base system (5.1) OpenSSL.
>Fix:
	Workaround: Use the pkgsrc version.
	Fix: should probably be in the base system OpenSSL.

-Olaf.
-- 
___ Olaf 'Rhialto' Seibert  -- There's no point being grown-up if you 
\X/ rhialto/at/xs4all.nl    -- can't be childish sometimes. -The 4th Doctor

>Release-Note:

>Audit-Trail:
From: Thomas Klausner <wiz@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/45639: STARTTLS fails sometimes with builtin OpenSSL
Date: Tue, 22 Nov 2011 00:30:33 +0100

 On Mon, Nov 21, 2011 at 08:00:09PM +0000, rhialto@falu.nl wrote:
 > >Number:         45639
 > >Category:       bin
 > >Synopsis:       STARTTLS fails sometimes with builtin OpenSSL

 Could this issue be another one case from the "bad TLS1.1 support"?

 See e.g.
 https://bitbucket.org/site/master/issue/2552/problem-checking-out-with-tlsv11

  Thomas

From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org, rhialto@falu.nl
Subject: Re: bin/45639: STARTTLS fails sometimes with builtin OpenSSL
Date: Tue, 22 Nov 2011 01:34:44 +0100

 On Mon 21 Nov 2011 at 23:35:02 +0000, Thomas Klausner wrote:
 >  Could this issue be another one case from the "bad TLS1.1 support"?
 >  
 >  See e.g.
 >  https://bitbucket.org/site/master/issue/2552/problem-checking-out-with-tlsv11

 If I understand that reference correctly, using the -tls1 option means
 that TLS1.1 is not used? So, adding -tls1 should make the issue better?

 I see exactly the opposite, though, when I use /usr/bin/openssl.

 $ /usr/bin/openssl s_client -connect smtp.tele2.nl:25 -starttls smtp -tls1
 CONNECTED(00000003)
 140187688595268:error:14092073:SSL routines:SSL3_GET_SERVER_HELLO:bad packet length:/home/builds/ab/netbsd-5-1-RELEASE/src/crypto/dist/openssl/ssl/s3_clnt.c:906:
 ---
 no peer certificate available
 ---
 No client certificate CA names sent
 ---
 SSL handshake has read 374 bytes and written 0 bytes
 ---
 New, (NONE), Cipher is (NONE)
 Compression: NONE
 Expansion: NONE
 SSL-Session:
     Protocol  : TLSv1
     Cipher    : 0000
     Session-ID: 001215364ECAE3B2A8DF9F2833C113B29988EF39A71891DA611C8F31871848E0
     Session-ID-ctx: 
     Master-Key: 
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     Start Time: 1321919410
     Timeout   : 7200 (sec)
     Verify return code: 0 (ok)
 ---
 $ 

 but if I leave out the -tls1 option I get

 $ /usr/bin/openssl s_client -connect smtp.tele2.nl:25 -starttls smtp 
 CONNECTED(00000003)
 depth=1 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
 verify error:num=20:unable to get local issuer certificate
 verify return:0
 ---
 Certificate chain
  0 s:/C=SE/postalCode=164 94/ST=Stockholm/L=Kista/streetAddress=Box 62/O=Tele2/OU=Network Operations/OU=Issued through Tele2 Sverige AB E-PKI Manager/OU=Comodo PremiumSSL Wildcard/CN=*.tele2.nl
    i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
  1 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 ---
 Server certificate
 -----BEGIN CERTIFICATE-----
 MIIF8jCCBNqgAwIBAgIRAKxAFqoIeVvY/rKWtrU54HAwDQYJKoZIhvcNAQEFBQAw
 ...
 6AeDm142pfuFbXcYCp+QeavBQFWNT4h1UqXe/1LqUqm7C9cftao=
 -----END CERTIFICATE-----
 subject=/C=SE/postalCode=164 94/ST=Stockholm/L=Kista/streetAddress=Box 62/O=Tele2/OU=Network Operations/OU=Issued through Tele2 Sverige AB E-PKI Manager/OU=Comodo PremiumSSL Wildcard/CN=*.tele2.nl
 issuer=/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
 ---
 No client certificate CA names sent
 ---
 SSL handshake has read 3146 bytes and written 551 bytes
 ---
 New, TLSv1/SSLv3, Cipher is AES256-SHA
 Server public key is 2048 bit
 Compression: NONE
 Expansion: NONE
 SSL-Session:
     Protocol  : TLSv1
     Cipher    : AES256-SHA
     Session-ID: 0012B8C04ECAE3D5A33EA027E403C4789222FCBF06BA5DD834BE080F6A27F54C
     Session-ID-ctx: 
     Master-Key: CCED98E919799672F48FB37C680B5EE1BA59F5B8ED4B71F5B9D91B0998FE7B497E342F59A498AF08BED8023BF5A507C5
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     Start Time: 1321919445
     Timeout   : 300 (sec)
     Verify return code: 20 (unable to get local issuer certificate)
 ---
 250 EHLO
 help
 214-Commands Supported:
 214-HELO EHLO AUTH HELP QUIT MAIL NOOP RSET RCPT DATA ETRN VRFY ATRN STARTTLS
 214-Copyright (c) 1995-2011, Stalker Software, Inc.
 214- 
 214 End Of Help
 DONE

 With /usr/pkg/bin/openssl ... -tls1, it works.
 The postmaster at tele2.nl tried something similar with his version of
 openssl, without -tls1 option, and it worked for him (but he got a
 "Protocol  : SSLv3" connection).

 I tried to find out what version netbsd's version of openssl is, but it
 seems to be something like "0.9.9 plus own set of patches". The pkgsrc
 version would then be older, being 0.9.8q nb3.

 >   Thomas
 -Olaf.
 -- 
 ___ Olaf 'Rhialto' Seibert  -- There's no point being grown-up if you 
 \X/ rhialto/at/xs4all.nl    -- can't be childish sometimes. -The 4th Doctor

State-Changed-From-To: open->feedback
State-Changed-By: maya@NetBSD.org
State-Changed-When: Wed, 13 Nov 2019 20:10:16 +0000
State-Changed-Why:
Is this a current issue, too? (all the versions discussed here are very old,)


State-Changed-From-To: feedback->closed
State-Changed-By: rhialto@NetBSD.org
State-Changed-When: Wed, 13 Nov 2019 21:30:08 +0000
State-Changed-Why:
The bug is very old, and I don't have that email provider any more.


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.