Unable to STARTTLS behind a specific network

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to STARTTLS behind a specific network

Hoggins!
Hello there,

First post here, I would like to know how it's possible to debug a
certain problem I have.
Behind a specific network, I'm unable to bootstrap a STARTTLS session on
an SMTP server. Usually, it works flawlessly.

So my request for help is not to try to change anything to the
configuration (I'm not in charge of this network) but to confirm that
there is a "problem" in between on that network that prevents the
transaction from being conducted.

So what I do is :

    $ openssl s_client -starttls smtp -crlf -connect newdude.radiom.fr:5000

No problem, I can communicate with the SMTP server after the STARTTLS
occurred.

But behind that specific network, if I run the same command, all I get is :

    CONNECTED(00000003)
    write:errno=104
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 351 bytes and written 147 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    ---

When I compare two tcpdumps, I can clearly see that a lot of data is
missing, the transaction is not complete.

Before being paranoid, I simply suspect a MTU problem, but I'm not sure
how this would only apply to SSL transactions.

Should I provide tcpdumps or anything else ?

Thank you !

    Hoggins!



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Unable to STARTTLS behind a specific network

Salz, Rich
Well, the fact that it fails is confirmation :)

> But behind that specific network, if I run the same command, all I get is :
>
>     CONNECTED(00000003)
>     write:errno=104

Most likely there is a middlebox filtering traffic and closing the connection.  Try an older protocol version, like -ssl3 or something.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Unable to STARTTLS behind a specific network

Salz, Rich
> Well, the fact that it fails is confirmation :)
>
> > But behind that specific network, if I run the same command, all I get is :
> >
> >     CONNECTED(00000003)
> >     write:errno=104
>
> Most likely there is a middlebox filtering traffic and closing the connection.
> Try an older protocol version, like -ssl3 or something.

Errno104 is usually "connection reset by peer" which means that the other side said "go away"
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Unable to STARTTLS behind a specific network

Viktor Dukhovni
In reply to this post by Hoggins!

> On Dec 22, 2016, at 5:30 AM, Hoggins! <[hidden email]> wrote:
>
> So what I do is :
>
>    $ openssl s_client -starttls smtp -crlf -connect newdude.radiom.fr:5000

This (well essentially this, but with the Postfix "posttls-finger" utility)
works for me from my MTA host:

$ posttls-finger -d sha512 "[newdude.radiom.fr]:5000"
posttls-finger: using DANE RR: _5000._tcp.newdude.radiom.fr IN TLSA 3 0 2 95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12
posttls-finger: Connected to newdude.radiom.fr[188.165.117.231]:5000
posttls-finger: < 220 newdude.radiom.fr ESMTP Sendmail 8.15.2/8.15.2; Thu, 22 Dec 2016 17:54:11 +0100
posttls-finger: > EHLO mournblade.imrryr.org
posttls-finger: < 250-newdude.radiom.fr Hello mournblade.imrryr.org [38.117.134.19], pleased to meet you
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-SIZE
posttls-finger: < 250-DSN
posttls-finger: < 250-ETRN
posttls-finger: < 250-AUTH GSSAPI LOGIN PLAIN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-DELIVERBY
posttls-finger: < 250 HELP
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: depth=0 matched end entity certificate sha512 digest 95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12
posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: Matched subjectAltName: *.radiom.fr
posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: subjectAltName: radiom.fr
posttls-finger: newdude.radiom.fr[188.165.117.231]:5000 CommonName *.radiom.fr
posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: subject_CN=*.radiom.fr, issuer_CN=StartCom Class 2 Primary Intermediate Server CA, fingerprint=95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12, pkey_fingerprint=C2:86:49:CF:64:12:52:13:CE:55:AD:84:D5:50:DF:88:42:0D:58:6D:78:B0:67:F6:F3:EE:D7:48:99:F6:28:A4:59:E4:97:08:EA:E6:DA:D8:92:92:28:C9:B8:4E:83:25:3E:1A:F6:CA:C9:94:5A:83:A7:3D:0C:9B:DA:F5:F0:37
posttls-finger: Verified TLS connection established to newdude.radiom.fr[188.165.117.231]:5000: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
posttls-finger: > EHLO mournblade.imrryr.org
posttls-finger: < 250-newdude.radiom.fr Hello mournblade.imrryr.org [38.117.134.19], pleased to meet you
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-SIZE
posttls-finger: < 250-DSN
posttls-finger: < 250-ETRN
posttls-finger: < 250-AUTH GSSAPI LOGIN PLAIN
posttls-finger: < 250-DELIVERBY
posttls-finger: < 250 HELP
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 newdude.radiom.fr closing connection

> No problem, I can communicate with the SMTP server after the STARTTLS
> occurred.
>
> But behind that specific network, if I run the same command, all I get is :
>
>    CONNECTED(00000003)
>    write:errno=104
>    ---
>    no peer certificate available
>    ---
>    No client certificate CA names sent
>    ---
>    SSL handshake has read 351 bytes and written 147 bytes
>    ---
>    New, (NONE), Cipher is (NONE)
>    Secure Renegotiation IS NOT supported
>    Compression: NONE
>    Expansion: NONE
>    ---
>
> When I compare two tcpdumps, I can clearly see that a lot of data is
> missing, the transaction is not complete.
>
> Before being paranoid, I simply suspect a MTU problem, but I'm not sure
> how this would only apply to SSL transactions.
>
> Should I provide tcpdumps or anything else?

Just the PCAP file for the broken session is enough.  However, since the
destination looks perfectly fine, the problem is surely some firewall at
the source network that exhibits the problem, and figuring out exactly
what's wrong with that firewall is not an OpenSSL issue.  Send the PCAP
file to the network administrator and ask for help there.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Unable to STARTTLS behind a specific network

Hoggins!
Hello all,

Thank you for your help !

Le 22/12/2016 à 17:58, Viktor Dukhovni a écrit :

>> On Dec 22, 2016, at 5:30 AM, Hoggins! <[hidden email]> wrote:
>>
>> So what I do is :
>>
>>    $ openssl s_client -starttls smtp -crlf -connect newdude.radiom.fr:5000
> This (well essentially this, but with the Postfix "posttls-finger" utility)
> works for me from my MTA host:
>
> $ posttls-finger -d sha512 "[newdude.radiom.fr]:5000"
> posttls-finger: using DANE RR: _5000._tcp.newdude.radiom.fr IN TLSA 3 0 2 95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12
> posttls-finger: Connected to newdude.radiom.fr[188.165.117.231]:5000
> posttls-finger: < 220 newdude.radiom.fr ESMTP Sendmail 8.15.2/8.15.2; Thu, 22 Dec 2016 17:54:11 +0100
> posttls-finger: > EHLO mournblade.imrryr.org
> posttls-finger: < 250-newdude.radiom.fr Hello mournblade.imrryr.org [38.117.134.19], pleased to meet you
> posttls-finger: < 250-ENHANCEDSTATUSCODES
> posttls-finger: < 250-PIPELINING
> posttls-finger: < 250-8BITMIME
> posttls-finger: < 250-SIZE
> posttls-finger: < 250-DSN
> posttls-finger: < 250-ETRN
> posttls-finger: < 250-AUTH GSSAPI LOGIN PLAIN
> posttls-finger: < 250-STARTTLS
> posttls-finger: < 250-DELIVERBY
> posttls-finger: < 250 HELP
> posttls-finger: > STARTTLS
> posttls-finger: < 220 2.0.0 Ready to start TLS
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: depth=0 matched end entity certificate sha512 digest 95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: Matched subjectAltName: *.radiom.fr
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: subjectAltName: radiom.fr
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000 CommonName *.radiom.fr
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: subject_CN=*.radiom.fr, issuer_CN=StartCom Class 2 Primary Intermediate Server CA, fingerprint=95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12, pkey_fingerprint=C2:86:49:CF:64:12:52:13:CE:55:AD:84:D5:50:DF:88:42:0D:58:6D:78:B0:67:F6:F3:EE:D7:48:99:F6:28:A4:59:E4:97:08:EA:E6:DA:D8:92:92:28:C9:B8:4E:83:25:3E:1A:F6:CA:C9:94:5A:83:A7:3D:0C:9B:DA:F5:F0:37
> posttls-finger: Verified TLS connection established to newdude.radiom.fr[188.165.117.231]:5000: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> posttls-finger: > EHLO mournblade.imrryr.org
> posttls-finger: < 250-newdude.radiom.fr Hello mournblade.imrryr.org [38.117.134.19], pleased to meet you
> posttls-finger: < 250-ENHANCEDSTATUSCODES
> posttls-finger: < 250-PIPELINING
> posttls-finger: < 250-8BITMIME
> posttls-finger: < 250-SIZE
> posttls-finger: < 250-DSN
> posttls-finger: < 250-ETRN
> posttls-finger: < 250-AUTH GSSAPI LOGIN PLAIN
> posttls-finger: < 250-DELIVERBY
> posttls-finger: < 250 HELP
> posttls-finger: > QUIT
> posttls-finger: < 221 2.0.0 newdude.radiom.fr closing connection
>
>> No problem, I can communicate with the SMTP server after the STARTTLS
>> occurred.
>>
>> But behind that specific network, if I run the same command, all I get is :
>>
>>    CONNECTED(00000003)
>>    write:errno=104
>>    ---
>>    no peer certificate available
>>    ---
>>    No client certificate CA names sent
>>    ---
>>    SSL handshake has read 351 bytes and written 147 bytes
>>    ---
>>    New, (NONE), Cipher is (NONE)
>>    Secure Renegotiation IS NOT supported
>>    Compression: NONE
>>    Expansion: NONE
>>    ---
>>
>> When I compare two tcpdumps, I can clearly see that a lot of data is
>> missing, the transaction is not complete.
>>
>> Before being paranoid, I simply suspect a MTU problem, but I'm not sure
>> how this would only apply to SSL transactions.
>>
>> Should I provide tcpdumps or anything else?
> Just the PCAP file for the broken session is enough.  However, since the
> destination looks perfectly fine, the problem is surely some firewall at
> the source network that exhibits the problem, and figuring out exactly
> what's wrong with that firewall is not an OpenSSL issue.  Send the PCAP
> file to the network administrator and ask for help there.
>
Routing my traffic through an IPSec VPN directly to the host solves the
issue, so we can definitely bet on a problem on the local network.
I'm afraid the administrators are not too much into Net neutrality ;)

Cheers !

    Hoggins!


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Unable to STARTTLS behind a specific network

Hoggins!
In reply to this post by Salz, Rich
Yes, confirmed here !

Le 22/12/2016 à 15:24, Salz, Rich a écrit :
> Errno104 is usually "connection reset by peer" which means that the other side said "go away"

Both parties receive an RST from "the middle" as shown in the tcpdump
captures (output1 from client, output0 from server).
Now I have to try to deal with the network administrator to understand
why this happens, and what they're trying to do.

    Hoggins!

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

output0 (21K) Download Attachment
output1 (4K) Download Attachment
signature.asc (188 bytes) Download Attachment