[Pkg-openssl-devel] Bug#706423: [openssl.org #3072] Strange behaviour when talking to microsoft exchange

Robert Mueller robm at fastmail.fm
Tue Jul 30 03:44:32 UTC 2013 

Hmmm, and some additional details as well.

If you don't explicitly specify the protocol, it *appears* to initially
work.


$ openssl s_client -connect smtp.live.com:587 -starttls smtp -crlf
CONNECTED(00000003)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
Validation CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft
 Corporation/CN=smtp.live.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
   G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
 G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
...
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID:
    03120000A01E273F7BF3F54958B1D2ECD7F623A4C7BE42388C94A825513167DA
    Session-ID-ctx:
    Master-Key:
    F8AD960F07FD339AFF0467E54BCC684FC26C735AA58CBA6E6856967D726F9FCDE0D3CAB2A566E43163D574174442C6FD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1375155252
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 OK



HOWEVER, if you send any command over the channel, it then causes an SSL
disconnect error.

$ echo -n -e 'ehlo messagingengine.com\nquit\n' | openssl s_client
-connect smtp.live.com:587 -starttls smtp -crlf -ign_eof
CONNECTED(00000003)
...
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID:
    03120000A01E273F7BF3F54958B1D2ECD7F623A4C7BE42388C94A825513167DA
    Session-ID-ctx:
    Master-Key:
    F8AD960F07FD339AFF0467E54BCC684FC26C735AA58CBA6E6856967D726F9FCDE0D3CAB2A566E43163D574174442C6FD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1375155252
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 OK
250-BLU0-SMTP151.phx.gbl Hello [66.111.4.10]
250-TURN
250-SIZE 41943040
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-AUTH LOGIN PLAIN
250 OK
46912496296712:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:337:



If you make it use RC4 instead, it appears to work again.

[robm at betaweb1 postfix]$ echo -n -e 'ehlo messagingengine.com\nquit\n' |
openssl s_client -connect smtp.live.com:587 -starttls smtp -crlf
-ign_eof -cipher 'RC4'
CONNECTED(00000003)
...
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID:
    0B190000A64170B904A7991A84EE9DB8E85FF96F23D8BEAF6F8085E9B4869DB4
    Session-ID-ctx:
    Master-Key:
    4D8540CCBE1F647D80A0407A82143564398CC38B447DB1583D4BF0CEDA329DB09C5403311D6D7D6AD2A0AAD05738A658
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1375155540
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 OK
250-BLU0-SMTP163.phx.gbl Hello [66.111.4.10]
250-TURN
250-SIZE 41943040
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-AUTH LOGIN PLAIN
250 OK
221 2.0.0 BLU0-SMTP163.phx.gbl Service closing transmission channel
read:errno=0



So something is confused when using the DES-CBC3-SHA cipher it appears,
but weirdly it appears only on the first write from openssl ->
smtp.live.com, reads from smtp.live.com -> openssl appear ok???

Anyway, the failure mode is really annoying. STARTTLS appears to work at
first, but then mysteriously fails at the first command you try and send
to the server.

Other problem reports:

http://postfix.1071664.n5.nabble.com/TLS-library-problem-after-updating-quot-openssl-quot-td16242.html
http://stackoverflow.com/questions/17011816/python-smtp-ssl-wrong-version-on-linux

-- 
Rob Mueller
robm at fastmail.fm

More information about the Pkg-openssl-devel mailing list