Re: Unable to STARTTLS behind a specific network

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello all,

Thank you for your help !

Le 22/12/2016 à 17:58, Viktor Dukhovni a écrit :
>> On Dec 22, 2016, at 5:30 AM, Hoggins! <fuckspam@xxxxxxxxxxx> wrote:
>>
>> So what I do is :
>>
>>    $ openssl s_client -starttls smtp -crlf -connect newdude.radiom.fr:5000
> This (well essentially this, but with the Postfix "posttls-finger" utility)
> works for me from my MTA host:
>
> $ posttls-finger -d sha512 "[newdude.radiom.fr]:5000"
> posttls-finger: using DANE RR: _5000._tcp.newdude.radiom.fr IN TLSA 3 0 2 95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12
> posttls-finger: Connected to newdude.radiom.fr[188.165.117.231]:5000
> posttls-finger: < 220 newdude.radiom.fr ESMTP Sendmail 8.15.2/8.15.2; Thu, 22 Dec 2016 17:54:11 +0100
> posttls-finger: > EHLO mournblade.imrryr.org
> posttls-finger: < 250-newdude.radiom.fr Hello mournblade.imrryr.org [38.117.134.19], pleased to meet you
> posttls-finger: < 250-ENHANCEDSTATUSCODES
> posttls-finger: < 250-PIPELINING
> posttls-finger: < 250-8BITMIME
> posttls-finger: < 250-SIZE
> posttls-finger: < 250-DSN
> posttls-finger: < 250-ETRN
> posttls-finger: < 250-AUTH GSSAPI LOGIN PLAIN
> posttls-finger: < 250-STARTTLS
> posttls-finger: < 250-DELIVERBY
> posttls-finger: < 250 HELP
> posttls-finger: > STARTTLS
> posttls-finger: < 220 2.0.0 Ready to start TLS
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: depth=0 matched end entity certificate sha512 digest 95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: Matched subjectAltName: *.radiom.fr
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: subjectAltName: radiom.fr
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000 CommonName *.radiom.fr
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: subject_CN=*.radiom.fr, issuer_CN=StartCom Class 2 Primary Intermediate Server CA, fingerprint=95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12, pkey_fingerprint=C2:86:49:CF:64:12:52:13:CE:55:AD:84:D5:50:DF:88:42:0D:58:6D:78:B0:67:F6:F3:EE:D7:48:99:F6:28:A4:59:E4:97:08:EA:E6:DA:D8:92:92:28:C9:B8:4E:83:25:3E:1A:F6:CA:C9:94:5A:83:A7:3D:0C:9B:DA:F5:F0:37
> posttls-finger: Verified TLS connection established to newdude.radiom.fr[188.165.117.231]:5000: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> posttls-finger: > EHLO mournblade.imrryr.org
> posttls-finger: < 250-newdude.radiom.fr Hello mournblade.imrryr.org [38.117.134.19], pleased to meet you
> posttls-finger: < 250-ENHANCEDSTATUSCODES
> posttls-finger: < 250-PIPELINING
> posttls-finger: < 250-8BITMIME
> posttls-finger: < 250-SIZE
> posttls-finger: < 250-DSN
> posttls-finger: < 250-ETRN
> posttls-finger: < 250-AUTH GSSAPI LOGIN PLAIN
> posttls-finger: < 250-DELIVERBY
> posttls-finger: < 250 HELP
> posttls-finger: > QUIT
> posttls-finger: < 221 2.0.0 newdude.radiom.fr closing connection
>
>> No problem, I can communicate with the SMTP server after the STARTTLS
>> occurred.
>>
>> But behind that specific network, if I run the same command, all I get is :
>>
>>    CONNECTED(00000003)
>>    write:errno=104
>>    ---
>>    no peer certificate available
>>    ---
>>    No client certificate CA names sent
>>    ---
>>    SSL handshake has read 351 bytes and written 147 bytes
>>    ---
>>    New, (NONE), Cipher is (NONE)
>>    Secure Renegotiation IS NOT supported
>>    Compression: NONE
>>    Expansion: NONE
>>    ---
>>
>> When I compare two tcpdumps, I can clearly see that a lot of data is
>> missing, the transaction is not complete.
>>
>> Before being paranoid, I simply suspect a MTU problem, but I'm not sure
>> how this would only apply to SSL transactions.
>>
>> Should I provide tcpdumps or anything else?
> Just the PCAP file for the broken session is enough.  However, since the
> destination looks perfectly fine, the problem is surely some firewall at
> the source network that exhibits the problem, and figuring out exactly
> what's wrong with that firewall is not an OpenSSL issue.  Send the PCAP
> file to the network administrator and ask for help there.
>

Routing my traffic through an IPSec VPN directly to the host solves the
issue, so we can definitely bet on a problem on the local network.
I'm afraid the administrators are not too much into Net neutrality ;)

Cheers !

    Hoggins!

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux