SSL / SMTP

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL / SMTP

Joan Moreau

Hi,

Since I upgraded my kernel (and rebuilt openssl), I get the following errors in Postfix:

2013-04-15T13:55:29.921960+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276:

2013-04-15T13:55:29.921966+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597:

while the postfix system has worked since ages.

 

I went back to the old kernel, but the error persists.

Do you have an hint ?

Thank you

Joan

 

Reply | Threaded
Open this post in threaded view
|

Re: SSL / SMTP

Joan Moreau
Le 16/04/2013 15:11, Joan Moreau a écrit :

> Hi,
>
> Since I upgraded my kernel (and rebuilt openssl), I get the following
> errors in Postfix:
>
> 2013-04-15T13:55:29.921960+02:00 server postfix/smtpd[3308]: warning:
> TLS library problem: 3308:error:1411C146:SSL
> routines:tls1_prf:unsupported digest type:t1_enc.c:276:
>
> 2013-04-15T13:55:29.921966+02:00 server postfix/smtpd[3308]: warning:
> TLS library problem: 3308:error:140D308A:SSL
> routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597:
>
> while the postfix system has worked since ages.
>
> I went back to the old kernel, but the error persists.
>
> Do you have an hint ?
>
> Thank you
>
> Joan


Actually, the complete log error is the following:
2013-04-17T09:17:14.283129+02:00 server postfix/smtpd[16725]:
initializing the server-side TLS engine
2013-04-17T09:17:14.383298+02:00 server postfix/smtpd[16725]: connect
from wana-25-254-12-196.wanamaroc.com[196.12.254.25]
2013-04-17T09:17:14.383313+02:00 server postfix/smtpd[16725]: setting up
TLS connection from wana-25-254-12-196.wanamaroc.com[196.12.254.25]
2013-04-17T09:17:14.383382+02:00 server postfix/smtpd[16725]:
wana-25-254-12-196.wanamaroc.com[196.12.254.25]: TLS cipher list
"aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
2013-04-17T09:17:14.383617+02:00 server postfix/smtpd[16725]:
SSL_accept:before/accept initialization
2013-04-17T09:17:14.383702+02:00 server postfix/smtpd[16725]:
SSL_accept:SSLv3 read client hello A
2013-04-17T09:17:14.383710+02:00 server postfix/smtpd[16725]:
SSL_accept:SSLv3 write server hello A
2013-04-17T09:17:14.383712+02:00 server postfix/smtpd[16725]:
SSL_accept:SSLv3 write certificate A
2013-04-17T09:17:14.385694+02:00 server postfix/smtpd[16725]:
SSL_accept:SSLv3 write key exchange A
2013-04-17T09:17:14.385710+02:00 server postfix/smtpd[16725]:
SSL_accept:SSLv3 write server done A
2013-04-17T09:17:14.385720+02:00 server postfix/smtpd[16725]:
SSL_accept:SSLv3 flush data
2013-04-17T09:17:36.573635+02:00 server postfix/smtpd[16725]:
SSL_accept:SSLv3 read client key exchange A
2013-04-17T09:17:36.573659+02:00 server postfix/smtpd[16725]:
SSL_accept:error in SSLv3 read certificate verify A
2013-04-17T09:17:36.573665+02:00 server postfix/smtpd[16725]: SSL_accept
error from wana-25-254-12-196.wanamaroc.com[196.12.254.25]: -1
2013-04-17T09:17:36.573670+02:00 server postfix/smtpd[16725]: warning:
TLS library problem: 16725:error:1411C146:SSL
routines:tls1_prf:unsupported digest type:t1_enc.c:276:
2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]: warning:
TLS library problem: 16725:error:140D308A:SSL
routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597:
2013-04-17T09:17:36.573971+02:00 server postfix/smtpd[16725]: lost
connection after CONNECT from
wana-25-254-12-196.wanamaroc.com[196.12.254.25]

Can you help ?

Thank you


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL / SMTP

Viktor Dukhovni
On Wed, Apr 17, 2013 at 07:24:23AM +0000, Joan Moreau wrote:

> 2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]:
> warning: TLS library problem: 16725:error:140D308A:SSL
> routines:TLS1_SETUP_KEY_BLOCK:cipher or hash
> unavailable:t1_enc.c:597:
> 2013-04-17T09:17:36.573971+02:00 server postfix/smtpd[16725]: lost
> connection after CONNECT from
> wana-25-254-12-196.wanamaroc.com[196.12.254.25]
>
> Can you help ?

No.  Install a fresh O/S image on new hardware and use that as your
mail server.  If a fresh install with the default Postfix for the
O/S does not work, come back to the Postfix-users list for help.

You've already consumed a lot of cycles on the Postfix-users list.
Now you are trying the openssl-users list without referencing the
prior long thread which shows your system to be messed up.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL / SMTP

Joan Moreau
Le 17/04/2013 14:18, Viktor Dukhovni a écrit :

> On Wed, Apr 17, 2013 at 07:24:23AM +0000, Joan Moreau wrote:
>
> 2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]: warning:
> TLS library problem: 16725:error:140D308A:SSL
> routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597:
> 2013-04-17T09:17:36.573971+02:00 server postfix/smtpd[16725]: lost
> connection after CONNECT from
> wana-25-254-12-196.wanamaroc.com[196.12.254.25] Can you help ?
>
> No. Install a fresh O/S image on new hardware and use that as your
> mail server. If a fresh install with the default Postfix for the
> O/S does not work, come back to the Postfix-users list for help.
>
> You've already consumed a lot of cycles on the Postfix-users list.
> Now you are trying the openssl-users list without referencing the
> prior long thread which shows your system to be messed up.


Please Viktor, I don't need your insults and mis-behaving and lack of
politeness.

My system is not "messed up", I have thousands of people working with
since ages. Now, i'll appreciate very much some help instead of those
useless attacks.

Thank you


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL / SMTP

Viktor Dukhovni
On Wed, Apr 17, 2013 at 04:40:55PM +0000, Joan Moreau wrote:

> >No. Install a fresh O/S image on new hardware and use that as your
> >mail server. If a fresh install with the default Postfix for the
> >O/S does not work, come back to the Postfix-users list for help.
> >
> >You've already consumed a lot of cycles on the Postfix-users list.
> >Now you are trying the openssl-users list without referencing the
> >prior long thread which shows your system to be messed up.
>
>
> Please Viktor, I don't need your insults and mis-behaving and lack
> of politeness.

I did my best to help you.  Your best way forward is to install
Postfix on a server that is in a known working state (not messed-up,
whatever, ...).

You don't have an OpenSSL problem, you already demonstrated this
in the Postfix list thread, where s_client and s_server worked
fine.  You have a problem with Postfix in an environment whose
integrity is strongly suspect, and where Postfix links to a libssl
whose calls into libcrypto fail to find any supported digest
algorithms, despite apparent correctness of header files, library
versions, ...  All the easy causes have been ruled out.  You can
continue to waste time and hope for a miracle, or you can do the
right thing and build a working system, where you either use the
bundled Postfix, or compile Postfix from source against the default
system OpenSSL library.

Over and out.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] Re: SSL / SMTP

Erwann ABALEA
In reply to this post by Joan Moreau
Le 17/04/2013 18:40, Joan Moreau a écrit :

> Le 17/04/2013 14:18, Viktor Dukhovni a écrit :
>
>> On Wed, Apr 17, 2013 at 07:24:23AM +0000, Joan Moreau wrote:
>>
>> 2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]:
>> warning: TLS library problem: 16725:error:140D308A:SSL
>> routines:TLS1_SETUP_KEY_BLOCK:cipher or hash
>> unavailable:t1_enc.c:597: 2013-04-17T09:17:36.573971+02:00 server
>> postfix/smtpd[16725]: lost connection after CONNECT from
>> wana-25-254-12-196.wanamaroc.com[196.12.254.25] Can you help ?
>>
>> No. Install a fresh O/S image on new hardware and use that as your
>> mail server. If a fresh install with the default Postfix for the
>> O/S does not work, come back to the Postfix-users list for help.
>>
>> You've already consumed a lot of cycles on the Postfix-users list.
>> Now you are trying the openssl-users list without referencing the
>> prior long thread which shows your system to be messed up.
>
>
> Please Viktor, I don't need your insults and mis-behaving and lack of
> politeness.
>
> My system is not "messed up", I have thousands of people working with
> since ages. Now, i'll appreciate very much some help instead of those
> useless attacks.
>

Reading the mentioned postfix-users thread, it seems Viktor is right,
you messed up with your server, compiling and installing your own
cutting-edge kernels and binaries, without using a package manager, on a
production server.

You may try to locate the libraries that have been used during
compilation, and the ones that are used by your running postfix, and
compare them.
The first answer is to be found somewhere in the compilation logs, the
answer to the second question can be found running the following:
ps faux | grep postfix | awk '{ print $2 }' | xargs -L 1 lsof -p | grep
-E "libcrypto|libssl"
considering that your postfix binary runs under the identity "postfix",
and that you're root (or add a sudo before xargs).

I don't think It's a SHA2 error, as I'm rejected by your server when I
contact it with RC4-SHA (something that is permitted by your ciphersuite
string).
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL / SMTP

Dr. Stephen Henson
In reply to this post by Joan Moreau
On Wed, Apr 17, 2013, Joan Moreau wrote:

> Le 16/04/2013 15:11, Joan Moreau a écrit :
>
> >Hi,
> >
> >Since I upgraded my kernel (and rebuilt openssl), I get the
> >following errors in Postfix:
> >
> >2013-04-15T13:55:29.921960+02:00 server postfix/smtpd[3308]:
> >warning: TLS library problem: 3308:error:1411C146:SSL
> >routines:tls1_prf:unsupported digest type:t1_enc.c:276:
> >
> >2013-04-15T13:55:29.921966+02:00 server postfix/smtpd[3308]:
> >warning: TLS library problem: 3308:error:140D308A:SSL
> >routines:TLS1_SETUP_KEY_BLOCK:cipher or hash
> >unavailable:t1_enc.c:597:
> >
> >while the postfix system has worked since ages.
> >
> >I went back to the old kernel, but the error persists.
> >
> >Do you have an hint ?
> >
> >Thank you
> >
> >Joan
>
>
> Actually, the complete log error is the following:
> 2013-04-17T09:17:14.283129+02:00 server postfix/smtpd[16725]:
> initializing the server-side TLS engine
> 2013-04-17T09:17:14.383298+02:00 server postfix/smtpd[16725]:
> connect from wana-25-254-12-196.wanamaroc.com[196.12.254.25]
> 2013-04-17T09:17:14.383313+02:00 server postfix/smtpd[16725]:
> setting up TLS connection from
> wana-25-254-12-196.wanamaroc.com[196.12.254.25]
> 2013-04-17T09:17:14.383382+02:00 server postfix/smtpd[16725]:
> wana-25-254-12-196.wanamaroc.com[196.12.254.25]: TLS cipher list
> "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
> 2013-04-17T09:17:14.383617+02:00 server postfix/smtpd[16725]:
> SSL_accept:before/accept initialization
> 2013-04-17T09:17:14.383702+02:00 server postfix/smtpd[16725]:
> SSL_accept:SSLv3 read client hello A
> 2013-04-17T09:17:14.383710+02:00 server postfix/smtpd[16725]:
> SSL_accept:SSLv3 write server hello A
> 2013-04-17T09:17:14.383712+02:00 server postfix/smtpd[16725]:
> SSL_accept:SSLv3 write certificate A
> 2013-04-17T09:17:14.385694+02:00 server postfix/smtpd[16725]:
> SSL_accept:SSLv3 write key exchange A
> 2013-04-17T09:17:14.385710+02:00 server postfix/smtpd[16725]:
> SSL_accept:SSLv3 write server done A
> 2013-04-17T09:17:14.385720+02:00 server postfix/smtpd[16725]:
> SSL_accept:SSLv3 flush data
> 2013-04-17T09:17:36.573635+02:00 server postfix/smtpd[16725]:
> SSL_accept:SSLv3 read client key exchange A
> 2013-04-17T09:17:36.573659+02:00 server postfix/smtpd[16725]:
> SSL_accept:error in SSLv3 read certificate verify A
> 2013-04-17T09:17:36.573665+02:00 server postfix/smtpd[16725]:
> SSL_accept error from
> wana-25-254-12-196.wanamaroc.com[196.12.254.25]: -1
> 2013-04-17T09:17:36.573670+02:00 server postfix/smtpd[16725]:
> warning: TLS library problem: 16725:error:1411C146:SSL
> routines:tls1_prf:unsupported digest type:t1_enc.c:276:
> 2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]:
> warning: TLS library problem: 16725:error:140D308A:SSL
> routines:TLS1_SETUP_KEY_BLOCK:cipher or hash
> unavailable:t1_enc.c:597:
> 2013-04-17T09:17:36.573971+02:00 server postfix/smtpd[16725]: lost
> connection after CONNECT from
> wana-25-254-12-196.wanamaroc.com[196.12.254.25]
>
> Can you help ?
>

This is presumably OpenSSL 1.0.1. Do you get that error when connection with
TLS 1.2 only or for TLS 1.1 or earlier?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]