NetBSD Problem Report #45639
From rhialto@falu.nl Mon Nov 21 19:56:52 2011
Return-Path: <rhialto@falu.nl>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 0CE2463CD43
for <gnats-bugs@gnats.NetBSD.org>; Mon, 21 Nov 2011 19:56:52 +0000 (UTC)
Message-Id: <201111211956.pALJuk2E011131@radl.falu.nl>
Date: Mon, 21 Nov 2011 20:56:46 +0100 (CET)
From: rhialto@falu.nl
Reply-To: rhialto@falu.nl
To: gnats-bugs@gnats.NetBSD.org
Cc: rhialto@falu.nl
Subject: STARTTLS fails sometimes with builtin OpenSSL
X-Send-Pr-Version: 3.95
>Number: 45639
>Category: bin
>Synopsis: STARTTLS fails sometimes with builtin OpenSSL
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Nov 21 20:00:09 +0000 2011
>Closed-Date: Wed Nov 13 21:30:08 +0000 2019
>Last-Modified: Wed Nov 13 21:30:08 +0000 2019
>Originator: Rhialto
>Release: NetBSD 5.1
>Organization:
>Environment:
System: NetBSD radl.falu.nl 5.1 NetBSD 5.1 (Radl-s_Pervasion_of_the_Incorrect_Chord) #0: Mon Jan 24 20:25:13 CET 2011 root@vargaz.falu.nl:/usr/src/sys/arch/amd64/compile/RADL5.1 amd64
Architecture: x86_64
Machine: amd64
>Description:
I had some mail to a mailbox @tele2.nl. Last weekend they did
some work on their mail server, and since then, my sendmail
(from pkgsrc-2011Q3) fails when it tries the STARTTLS command.
$ sudo sendmail -v -q
Running /var/spool/mqueue/pALFphxl017089 (sequence 1 of 1)
<khrjhdsrjkhsdjkf@tele2.nl>... Connecting to smtp.tele2.nl. via esmtp...
220 mailfe06.swip.net ESMTP 5.4.2
>>> EHLO smtp.falu.nl
250-mailfe06.swip.net is pleased to meet you
250-DSN
250-SIZE 314572800
250-STARTTLS
250-AUTH LOGIN PLAIN
250-ETRN
250-TURN
250-ATRN
250-NO-SOLICITING
250-8BITMIME
250-HELP
250-PIPELINING
250 EHLO
>>> STARTTLS
220 please start a TLS connection
<khrjhdsrjkhsdjkf@tele2.nl>... Deferred: 403 4.7.0 TLS handshake failed.
Closing connection to smtp.tele2.nl.
$
The mail log file gives a little bit more detail:
Nov 21 16:57:47 radl sendmail[6980]: STARTTLS=client, error: connect failed=-1, SSL_error=1, errno=0, retry=-1
Nov 21 16:57:47 radl sendmail[6980]: STARTTLS=client: 6980:error:14092073:SSL routines:SSL3_GET_SERVER_HELLO:bad packet length:/home/builds/ab/netbsd-5-1-RELEASE/src/crypto/dist/openssl/ssl/s3_clnt.c:906:
Nov 21 16:57:47 radl sendmail[6980]: ruleset=tls_server, arg1=SOFTWARE, relay=smtp.tele2.nl, reject=403 4.7.0 TLS handshake failed.
Nov 21 16:57:47 radl sendmail[6980]: pALFphxl017089: to=<khrjhdsrjkhsdjkf@tele2.nl>, ctladdr=<rhialto@radl.falu.nl> (1000/1000), delay=00:06:04, xdelay=00:00:03, mailer=esmtp, pri=570349, relay=smtp.tele2.nl. [212.247.156.14], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed.
According to the 2nd line, apparently the NetBSD base system SSL library
thinks something is wrong with the data it receives. I don't think I've
seen this before but of course it might be a bug in this version of
OpenSSL that simply wasn't triggered before.
Indeed, when I re-compile sendmail using OpenSSL from pkgsrc (I added
"PREFER.openssl=pkgsrc" to its options.mk file), the above scenario went
fine:
Nov 21 20:39:46 radl sm-mta[17675]: STARTTLS=client, relay=smtp.tele2.nl., versi
on=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Nov 21 20:39:48 radl sm-mta[17675]: pALJdhjB026543: to=<kssdkfjdhfjkhfkhkhlsdajk
h@tele2.nl>, ctladdr=<rhialto@radl.falu.nl> (1000/1000), delay=00:00:05, xdelay=
00:00:05, mailer=esmtp, pri=30367, relay=smtp.tele2.nl. [212.247.156.14], dsn=5.
1.1, stat=User unknown
Nov 21 20:39:50 radl sm-mta[17675]: pALJdhjB026543: pALJdojB017675: DSN: User un
known
Nov 21 20:39:50 radl sm-mta[17675]: pALJdojB017675: to=<rhialto@radl.falu.nl>, d
elay=00:00:00, xdelay=00:00:00, mailer=local, pri=31529, dsn=2.0.0, stat=Sent
>How-To-Repeat:
Send mail to somebody@tele2.nl, using STARTTLS, with sendmail
compiled with the base system (5.1) OpenSSL.
>Fix:
Workaround: Use the pkgsrc version.
Fix: should probably be in the base system OpenSSL.
-Olaf.
--
___ Olaf 'Rhialto' Seibert -- There's no point being grown-up if you
\X/ rhialto/at/xs4all.nl -- can't be childish sometimes. -The 4th Doctor
>Release-Note:
>Audit-Trail:
From: Thomas Klausner <wiz@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/45639: STARTTLS fails sometimes with builtin OpenSSL
Date: Tue, 22 Nov 2011 00:30:33 +0100
On Mon, Nov 21, 2011 at 08:00:09PM +0000, rhialto@falu.nl wrote:
> >Number: 45639
> >Category: bin
> >Synopsis: STARTTLS fails sometimes with builtin OpenSSL
Could this issue be another one case from the "bad TLS1.1 support"?
See e.g.
https://bitbucket.org/site/master/issue/2552/problem-checking-out-with-tlsv11
Thomas
From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org, rhialto@falu.nl
Subject: Re: bin/45639: STARTTLS fails sometimes with builtin OpenSSL
Date: Tue, 22 Nov 2011 01:34:44 +0100
On Mon 21 Nov 2011 at 23:35:02 +0000, Thomas Klausner wrote:
> Could this issue be another one case from the "bad TLS1.1 support"?
>
> See e.g.
> https://bitbucket.org/site/master/issue/2552/problem-checking-out-with-tlsv11
If I understand that reference correctly, using the -tls1 option means
that TLS1.1 is not used? So, adding -tls1 should make the issue better?
I see exactly the opposite, though, when I use /usr/bin/openssl.
$ /usr/bin/openssl s_client -connect smtp.tele2.nl:25 -starttls smtp -tls1
CONNECTED(00000003)
140187688595268:error:14092073:SSL routines:SSL3_GET_SERVER_HELLO:bad packet length:/home/builds/ab/netbsd-5-1-RELEASE/src/crypto/dist/openssl/ssl/s3_clnt.c:906:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 374 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID: 001215364ECAE3B2A8DF9F2833C113B29988EF39A71891DA611C8F31871848E0
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1321919410
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
$
but if I leave out the -tls1 option I get
$ /usr/bin/openssl s_client -connect smtp.tele2.nl:25 -starttls smtp
CONNECTED(00000003)
depth=1 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=SE/postalCode=164 94/ST=Stockholm/L=Kista/streetAddress=Box 62/O=Tele2/OU=Network Operations/OU=Issued through Tele2 Sverige AB E-PKI Manager/OU=Comodo PremiumSSL Wildcard/CN=*.tele2.nl
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
1 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF8jCCBNqgAwIBAgIRAKxAFqoIeVvY/rKWtrU54HAwDQYJKoZIhvcNAQEFBQAw
...
6AeDm142pfuFbXcYCp+QeavBQFWNT4h1UqXe/1LqUqm7C9cftao=
-----END CERTIFICATE-----
subject=/C=SE/postalCode=164 94/ST=Stockholm/L=Kista/streetAddress=Box 62/O=Tele2/OU=Network Operations/OU=Issued through Tele2 Sverige AB E-PKI Manager/OU=Comodo PremiumSSL Wildcard/CN=*.tele2.nl
issuer=/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
---
No client certificate CA names sent
---
SSL handshake has read 3146 bytes and written 551 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 0012B8C04ECAE3D5A33EA027E403C4789222FCBF06BA5DD834BE080F6A27F54C
Session-ID-ctx:
Master-Key: CCED98E919799672F48FB37C680B5EE1BA59F5B8ED4B71F5B9D91B0998FE7B497E342F59A498AF08BED8023BF5A507C5
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1321919445
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 EHLO
help
214-Commands Supported:
214-HELO EHLO AUTH HELP QUIT MAIL NOOP RSET RCPT DATA ETRN VRFY ATRN STARTTLS
214-Copyright (c) 1995-2011, Stalker Software, Inc.
214-
214 End Of Help
DONE
With /usr/pkg/bin/openssl ... -tls1, it works.
The postmaster at tele2.nl tried something similar with his version of
openssl, without -tls1 option, and it worked for him (but he got a
"Protocol : SSLv3" connection).
I tried to find out what version netbsd's version of openssl is, but it
seems to be something like "0.9.9 plus own set of patches". The pkgsrc
version would then be older, being 0.9.8q nb3.
> Thomas
-Olaf.
--
___ Olaf 'Rhialto' Seibert -- There's no point being grown-up if you
\X/ rhialto/at/xs4all.nl -- can't be childish sometimes. -The 4th Doctor
State-Changed-From-To: open->feedback
State-Changed-By: maya@NetBSD.org
State-Changed-When: Wed, 13 Nov 2019 20:10:16 +0000
State-Changed-Why:
Is this a current issue, too? (all the versions discussed here are very old,)
State-Changed-From-To: feedback->closed
State-Changed-By: rhialto@NetBSD.org
State-Changed-When: Wed, 13 Nov 2019 21:30:08 +0000
State-Changed-Why:
The bug is very old, and I don't have that email provider any more.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.