headers
Daniel L. Miller | 26 Jun 2012 20:04
Favicon

Ubuntu Precise packaged 2.9.1 & SSL 1.0.1

After a recent Ubuntu server upgrade, the packaged versions of Postfix - 
using Ubuntu's "Precise" version, as well as the "security", "updates", 
and "backports" repositories - Postfix's TLS is broken with the known 
SSL version issue:

warning: TLS library problem: 4425:error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:

I've tried a couple different main.cf settings, including:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

but the only option that has given me temporary functionality is:
smtpd_tls_security_level=none

Is there a way I can restore TLS functionality via configuration? Or is 
an updated Postfix, possibly a self-compiled version, my only option?
--

-- 
Daniel
Permalink | Reply |
headers
Robert Schetterer | 26 Jun 2012 20:31

Re: Ubuntu Precise packaged 2.9.1 & SSL 1.0.1

Am 26.06.2012 20:04, schrieb Daniel L. Miller:
> After a recent Ubuntu server upgrade, the packaged versions of Postfix -
> using Ubuntu's "Precise" version, as well as the "security", "updates",
> and "backports" repositories - Postfix's TLS is broken with the known
> SSL version issue:
> 
> warning: TLS library problem: 4425:error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:
> 
> I've tried a couple different main.cf settings, including:
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> 
> but the only option that has given me temporary functionality is:
> smtpd_tls_security_level=none
> 
> Is there a way I can restore TLS functionality via configuration? Or is
> an updated Postfix, possibly a self-compiled version, my only option?

have you read
http://www.postfix.org/TLS_README.html ?

in quantal

http://packages.ubuntu.com/search?keywords=postfix&searchon=names&suite=quantal&section=all

postfix is
2.9.3-2: amd64 i386

there should be a lot of tls fixes
(Continue reading)

Permalink | Reply |
headers
Scott Kitterman | 26 Jun 2012 20:38

Re: Ubuntu Precise packaged 2.9.1 & SSL 1.0.1

On Tuesday, June 26, 2012 11:04:16 AM Daniel L. Miller wrote:
> After a recent Ubuntu server upgrade, the packaged versions of Postfix -
> using Ubuntu's "Precise" version, as well as the "security", "updates",
> and "backports" repositories - Postfix's TLS is broken with the known
> SSL version issue:
> 
> warning: TLS library problem: 4425:error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:
> 
> I've tried a couple different main.cf settings, including:
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> 
> but the only option that has given me temporary functionality is:
> smtpd_tls_security_level=none
> 
> Is there a way I can restore TLS functionality via configuration? Or is
> an updated Postfix, possibly a self-compiled version, my only option?

I have it on my TODO list to do the testing to get the package updated to 
2.9.3 on Ubuntu 12.04, but haven't gotten to it yet.  Since you're interested, 
I went ahead and uploaded the package for test to my PPA at 
https://launchpad.net/~kitterman/+archive/ppa - It won't be compiled there yet 
since I just uploaded it, but it should be available later today or tomorrow.

Scott K
Permalink | Reply |
headers
Chris | 26 Jun 2012 23:05

Re: Ubuntu Precise packaged 2.9.1 & SSL 1.0.1

2012/6/26 Daniel L. Miller <dmiller <at> amfes.com>:
> After a recent Ubuntu server upgrade, the packaged versions of Postfix -
> using Ubuntu's "Precise" version, as well as the "security", "updates", and
> "backports" repositories - Postfix's TLS is broken with the known SSL
> version issue:
>
> warning: TLS library problem: 4425:error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:

A general question:
Why is only postfix affected and not sendmail or exim?

--
Chris
Permalink | Reply |
headers
Wietse Venema | 27 Jun 2012 02:42

Re: Ubuntu Precise packaged 2.9.1 & SSL 1.0.1

Chris:
> 2012/6/26 Daniel L. Miller <dmiller <at> amfes.com>:
> > After a recent Ubuntu server upgrade, the packaged versions of Postfix -
> > using Ubuntu's "Precise" version, as well as the "security", "updates", and
> > "backports" repositories - Postfix's TLS is broken with the known SSL
> > version issue:
> >
> > warning: TLS library problem: 4425:error:1408F10B:SSL
> > routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:
> 
> A general question:
> Why is only postfix affected and not sendmail or exim?

Says who?

OpenSSL 1.0.1 introduces new protocols (TLSv1.2 and TLSv1.1) that
don't work with some other implementations of those new protocols.

Postfix 2.9.2 introduces support to turn off the new protocols,
so that Postfix falls back to the ones that work.

	Wietse
Permalink | Reply |
headers
Chris | 28 Jun 2012 15:16

Re: Ubuntu Precise packaged 2.9.1 & SSL 1.0.1

2012/6/27 Wietse Venema <wietse <at> porcupine.org>:
> Chris:
>> 2012/6/26 Daniel L. Miller <dmiller <at> amfes.com>:
>> > After a recent Ubuntu server upgrade, the packaged versions of Postfix -
>> > using Ubuntu's "Precise" version, as well as the "security", "updates", and
>> > "backports" repositories - Postfix's TLS is broken with the known SSL
>> > version issue:
>> >
>> > warning: TLS library problem: 4425:error:1408F10B:SSL
>> > routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:
>>
>> A general question:
>> Why is only postfix affected and not sendmail or exim?
>
> Says who?

Okay, I have seen nothing on the sendmail mailing list.

>
> OpenSSL 1.0.1 introduces new protocols (TLSv1.2 and TLSv1.1) that
> don't work with some other implementations of those new protocols.
>
> Postfix 2.9.2 introduces support to turn off the new protocols,
> so that Postfix falls back to the ones that work.

Turning off the new protocols is only an interim solution?

--
Chris
(Continue reading)

Permalink | Reply |
headers
Wietse Venema | 28 Jun 2012 15:32

Re: Ubuntu Precise packaged 2.9.1 & SSL 1.0.1

Wietse:
> Postfix 2.9.2 introduces support to turn off the new [TLSv1.2 and
> TLSv1.1] protocols, so that Postfix falls back to the ones that
> work.

Chris:
> Turning off the new protocols is only an interim solution?

No due date is given for global TLSv1.2 and TLSv1.1 inter-operability,
so you'll have to watch the news to find out when this has happened.

	Wietse
Permalink | Reply |
headers
John Peach | 27 Jun 2012 02:22

Re: Ubuntu Precise packaged 2.9.1 & SSL 1.0.1

On Tue, 26 Jun 2012 11:04:16 -0700
"Daniel L. Miller" <dmiller <at> amfes.com> wrote:

> After a recent Ubuntu server upgrade, the packaged versions of Postfix - 
> using Ubuntu's "Precise" version, as well as the "security", "updates", 
> and "backports" repositories - Postfix's TLS is broken with the known 
> SSL version issue:
> 
> warning: TLS library problem: 4425:error:1408F10B:SSL 
> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:
> 
> I've tried a couple different main.cf settings, including:
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> 
> but the only option that has given me temporary functionality is:
> smtpd_tls_security_level=none
> 
> Is there a way I can restore TLS functionality via configuration? Or is 
> an updated Postfix, possibly a self-compiled version, my only option?

I've not seen this at all, but I've always used:

smtpd_tls_security_level = may

This gives me TLS when the client wants to use it.....

--

-- 
John
(Continue reading)

Permalink | Reply |
headers
Viktor Dukhovni | 28 Jun 2012 17:10

Re: Ubuntu Precise packaged 2.9.1 & SSL 1.0.1

On Tue, Jun 26, 2012 at 11:04:16AM -0700, Daniel L. Miller wrote:

> After a recent Ubuntu server upgrade, the packaged versions of
> Postfix - using Ubuntu's "Precise" version, as well as the
> "security", "updates", and "backports" repositories - Postfix's TLS
> is broken with the known SSL version issue:
> 
> warning: TLS library problem: 4425:error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:

The issue is possibly related to session resumption, in which case
it may not be surprising if Sendmail does not run into it, since
Sendmail does not have a TLS session cache.

If anyone is able to reproduce the issue with TLSv1.2 enabled,
please send me logging for one failed connection with "smtpd_tls_loglevel
= 4" gathered after a "postfix stop; postfix start", so that the
TLS session cache is initially empty, and (if perhaps the failure
*is* related to session resumption and requires a non-empty cache)
also similar logging for a connection with a resumed TLS session.

Is the error in question observed primarily on clients, servers or
both?

--

-- 
	Viktor.
Permalink | Reply |
headers
Viktor Dukhovni | 28 Jun 2012 17:13

Re: Ubuntu Precise packaged 2.9.1 & SSL 1.0.1

On Thu, Jun 28, 2012 at 03:10:14PM +0000, Viktor Dukhovni wrote:

> If anyone is able to reproduce the issue with TLSv1.2 enabled,
> please send me logging for one failed connection with "smtpd_tls_loglevel
> = 4" gathered after a "postfix stop; postfix start", so that the
> TLS session cache is initially empty, and (if perhaps the failure
> *is* related to session resumption and requires a non-empty cache)
> also similar logging for a connection with a resumed TLS session.

If it makes any difference "smtpd_tls_loglevel = 3" may also
be sufficient if the error is seen during the handshake phase
of the SSL session.

> -- 
> 	Viktor.
Permalink | Reply |

Gmane