[openssl-users] Unable to STARTTLS behind a specific network
Hoggins!
fuckspam at wheres5.com
Fri Dec 23 14:13:14 UTC 2016
Hello all,
Thank you for your help !
Le 22/12/2016 à 17:58, Viktor Dukhovni a écrit :
>> On Dec 22, 2016, at 5:30 AM, Hoggins! <fuckspam at wheres5.com> wrote:
>>
>> So what I do is :
>>
>> $ openssl s_client -starttls smtp -crlf -connect newdude.radiom.fr:5000
> This (well essentially this, but with the Postfix "posttls-finger" utility)
> works for me from my MTA host:
>
> $ posttls-finger -d sha512 "[newdude.radiom.fr]:5000"
> posttls-finger: using DANE RR: _5000._tcp.newdude.radiom.fr IN TLSA 3 0 2 95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12
> posttls-finger: Connected to newdude.radiom.fr[188.165.117.231]:5000
> posttls-finger: < 220 newdude.radiom.fr ESMTP Sendmail 8.15.2/8.15.2; Thu, 22 Dec 2016 17:54:11 +0100
> posttls-finger: > EHLO mournblade.imrryr.org
> posttls-finger: < 250-newdude.radiom.fr Hello mournblade.imrryr.org [38.117.134.19], pleased to meet you
> posttls-finger: < 250-ENHANCEDSTATUSCODES
> posttls-finger: < 250-PIPELINING
> posttls-finger: < 250-8BITMIME
> posttls-finger: < 250-SIZE
> posttls-finger: < 250-DSN
> posttls-finger: < 250-ETRN
> posttls-finger: < 250-AUTH GSSAPI LOGIN PLAIN
> posttls-finger: < 250-STARTTLS
> posttls-finger: < 250-DELIVERBY
> posttls-finger: < 250 HELP
> posttls-finger: > STARTTLS
> posttls-finger: < 220 2.0.0 Ready to start TLS
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: depth=0 matched end entity certificate sha512 digest 95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: Matched subjectAltName: *.radiom.fr
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: subjectAltName: radiom.fr
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000 CommonName *.radiom.fr
> posttls-finger: newdude.radiom.fr[188.165.117.231]:5000: subject_CN=*.radiom.fr, issuer_CN=StartCom Class 2 Primary Intermediate Server CA, fingerprint=95:6D:5F:68:4A:65:07:55:53:7D:14:02:2C:23:F4:A2:CD:5B:93:AC:86:94:E2:D5:16:26:21:24:B7:A9:06:E3:E1:E6:61:77:DF:60:6E:98:9E:36:9F:BA:23:11:CA:F9:53:99:79:73:0C:D9:D5:10:DF:73:92:52:60:B5:EA:12, pkey_fingerprint=C2:86:49:CF:64:12:52:13:CE:55:AD:84:D5:50:DF:88:42:0D:58:6D:78:B0:67:F6:F3:EE:D7:48:99:F6:28:A4:59:E4:97:08:EA:E6:DA:D8:92:92:28:C9:B8:4E:83:25:3E:1A:F6:CA:C9:94:5A:83:A7:3D:0C:9B:DA:F5:F0:37
> posttls-finger: Verified TLS connection established to newdude.radiom.fr[188.165.117.231]:5000: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> posttls-finger: > EHLO mournblade.imrryr.org
> posttls-finger: < 250-newdude.radiom.fr Hello mournblade.imrryr.org [38.117.134.19], pleased to meet you
> posttls-finger: < 250-ENHANCEDSTATUSCODES
> posttls-finger: < 250-PIPELINING
> posttls-finger: < 250-8BITMIME
> posttls-finger: < 250-SIZE
> posttls-finger: < 250-DSN
> posttls-finger: < 250-ETRN
> posttls-finger: < 250-AUTH GSSAPI LOGIN PLAIN
> posttls-finger: < 250-DELIVERBY
> posttls-finger: < 250 HELP
> posttls-finger: > QUIT
> posttls-finger: < 221 2.0.0 newdude.radiom.fr closing connection
>
>> No problem, I can communicate with the SMTP server after the STARTTLS
>> occurred.
>>
>> But behind that specific network, if I run the same command, all I get is :
>>
>> CONNECTED(00000003)
>> write:errno=104
>> ---
>> no peer certificate available
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 351 bytes and written 147 bytes
>> ---
>> New, (NONE), Cipher is (NONE)
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> ---
>>
>> When I compare two tcpdumps, I can clearly see that a lot of data is
>> missing, the transaction is not complete.
>>
>> Before being paranoid, I simply suspect a MTU problem, but I'm not sure
>> how this would only apply to SSL transactions.
>>
>> Should I provide tcpdumps or anything else?
> Just the PCAP file for the broken session is enough. However, since the
> destination looks perfectly fine, the problem is surely some firewall at
> the source network that exhibits the problem, and figuring out exactly
> what's wrong with that firewall is not an OpenSSL issue. Send the PCAP
> file to the network administrator and ask for help there.
>
Routing my traffic through an IPSec VPN directly to the host solves the
issue, so we can definitely bet on a problem on the local network.
I'm afraid the administrators are not too much into Net neutrality ;)
Cheers !
Hoggins!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161223/cd1c004f/attachment.sig>
More information about the openssl-users
mailing list