OpenSSL 1.1.1 Windows dependencies

Michael Wojcik Michael.Wojcik at microfocus.com
Fri Oct 21 13:50:35 UTC 2022


> From: David Harris <openssl at pmail.gen.nz>
> Sent: Friday, 21 October, 2022 01:42
>
> On 20 Oct 2022 at 20:04, Michael Wojcik wrote:
> 
> > I think more plausible causes of this failure are things like OpenSSL
> > configuration and interference from other software such as an endpoint
> > firewall. Getting SYSCALL from SSL_accept *really* looks like
> > network-stack-level interference, from a firewall or similar
> > mechanism.
> 
> That was my initial thought too, except that if it were firewall-related, the
> initial port 587 connection would be blocked, and it isn't - the failure doesn't
> happen until after STARTTLS has been issued.

Not necessarily. That's true for a first-generation port-blocking firewall, but not for a packet-inspecting one. There are organizations which use packet-inspecting firewalls to block STARTTLS because they enforce their own TLS termination, in order to inspect all incoming traffic for malicious content and outgoing traffic for exfiltration.

> Furthermore, the OpenSSL
> configuration is identical between the systems/combinations of OpenSSL that
> work and those that don't.

Do you know that for certain? There's no openssl.cnf from some other source being picked up on the non-working system?

-- 
Michael Wojcik


More information about the openssl-users mailing list