[openssl-project] OpenSSL 1.1.1 library(OpenSSL 1.1.0 compile) Postfix to Postfix test

Viktor Dukhovni openssl-users at dukhovni.org
Mon Apr 23 01:49:42 UTC 2018 

I tested a Postfix server and client built against OpenSSL 1.1.0,
using 1.1.1 run-time libraries.  This exercised peer certificate
fingerprint matching and session resumption.  No major issues.

The only interesting observations are:

  * With TLS 1.3 a new session is generated even sessions are
    resumed, because the server responds with a new ticket
    in the event of session resumption.  With TLS 1.2 sessions
    that had sufficient remaining lifetime did not trigger new
    ticket generation on the server, and no new session was
    stored on the client.  This causes needless wear-and-tear
    on the external session cache in Postfix, since each
    connection writes out a new session, replacing the one
    it just used.  Some might consider this a security feature,
    but it is not especially desirable with SMTP.  Any thoughts
    about whether this could be tunable?  It would have to be
    server-side tuning I think, since the client does not know
    why the server issued a new session, perhaps the old one
    was not (or will soon not) be valid for re-use.


  * Postfix logs a warning when the compile-time and runtime
    libraries are not exactly the same (once per process start),
    this is expected.  Perhaps we should provide a means for
    users to turn that off.

  * The Postfix logging from the new session callback precedes
    the OpenSSL message callback that a session ticket was
    received from the server.  It seems that the OpenSSL message
    callback happens at the completion of session ticket processing,
    but this results in slightly surprising ordering of the logs.
    It seems as though the session is stored before the ticket
    arrives.  I think this "cosmetic" issue may be worth addressing.

----- Client-side diagnostics -----
posttls-finger: warning: run-time library vs. compile-time header version mismatch: OpenSSL 1.1.1 may not be compatible with OpenSSL 1.1.0

posttls-finger: SSL_connect:before SSL initialization
posttls-finger: SSL_connect:SSLv3/TLS write client hello
posttls-finger: SSL_connect:SSLv3/TLS write client hello
posttls-finger: SSL_connect:SSLv3/TLS read server hello
posttls-finger: SSL_connect:TLSv1.3 read encrypted extensions
posttls-finger: SSL_connect:SSLv3/TLS read server certificate
posttls-finger: SSL_connect:TLSv1.3 read server certificate verify
posttls-finger: SSL_connect:SSLv3/TLS read finished
posttls-finger: SSL_connect:SSLv3/TLS write change cipher spec
posttls-finger: SSL_connect:SSLv3/TLS write finished
posttls-finger: Verified TLS connection established to 127.0.0.1[127.0.0.1]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
posttls-finger: SSL_connect:SSL negotiation finished successfully
posttls-finger: SSL_connect:SSL negotiation finished successfully
posttls-finger: save session [127.0.0.1]:25&340DAEC7D4C243D38B19F31A405375B4DF69D1A1E5FB70B81C38E9EDC190976D to memory cache
posttls-finger: SSL_connect:SSLv3/TLS read server session ticket

posttls-finger: Reconnecting after 1 seconds
posttls-finger: looking for session [127.0.0.1]:25&340DAEC7D4C243D38B19F31A405375B4DF69D1A1E5FB70B81C38E9EDC190976D in memory cache
posttls-finger: reloaded session [127.0.0.1]:25&340DAEC7D4C243D38B19F31A405375B4DF69D1A1E5FB70B81C38E9EDC190976D from memory cache
posttls-finger: SSL_connect:before SSL initialization
posttls-finger: SSL_connect:SSLv3/TLS write client hello
posttls-finger: SSL_connect:SSLv3/TLS write client hello
posttls-finger: SSL_connect:SSLv3/TLS read server hello
posttls-finger: SSL_connect:TLSv1.3 read encrypted extensions
posttls-finger: SSL_connect:SSLv3/TLS read finished
posttls-finger: SSL_connect:SSLv3/TLS write change cipher spec
posttls-finger: SSL_connect:SSLv3/TLS write finished
posttls-finger: 127.0.0.1[127.0.0.1]:25: Reusing old session
posttls-finger: Verified TLS connection established to 127.0.0.1[127.0.0.1]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
posttls-finger: SSL_connect:SSL negotiation finished successfully
posttls-finger: SSL_connect:SSL negotiation finished successfully
posttls-finger: save session [127.0.0.1]:25&340DAEC7D4C243D38B19F31A405375B4DF69D1A1E5FB70B81C38E9EDC190976D to memory cache
posttls-finger: SSL_connect:SSLv3/TLS read server session ticket
----- End -----


-- 
	Viktor.

More information about the openssl-project mailing list