TLS handshake fails ("SSL_accept:error in error") for server->server connection (smtp submit dovecot->postfix) if /etc/pki/tls/openssl.cnf "Options=" includes 'ServerPreference' ?

PGNet Dev pgnet.dev at gmail.com
Wed Sep 23 21:11:50 UTC 2020 

i've got two servers communicating over ssl.

comms between them work if

	/etc/pki/tls/openssl.cnf

includes

	Options = PrioritizeChaCha

but fail if 'ServerPreference' 

	(cref:

		Undocumented openssl.cnf options and PrioritizeChaCha
		https://blog.germancoding.com/2020/05/30/undocumented-openssl-cnf-options-and-prioritizechacha/

		man SSL_CONF_cmd
			ServerPreference: use server and not client preference order when determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection.  Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers.
	)

is added,

	Options = ServerPreference,PrioritizeChaCha

i'm trying to understand expected behavior, and troubleshoot

the 2 servers are

	postconf mail_version
		mail_version = 3.5.7
	dovecot --version
		2.3.10.1 (a3d0e1171)

they're on the same machine, which runs

	
	grep PRETTY /etc/os-release
		PRETTY_NAME="Fedora 32 (Server Edition)"
	openssl version
		OpenSSL 1.1.1g FIPS  21 Apr 2020

dovecot's configured to listen for SMTP submissions on its own submission proxy port 60465

dovecot then re-submits the message to postfix, on submission port 465.

the openssl cnf containts

	/etc/pki/tls/openssl.cnf
		openssl_conf = default_conf

		[default_conf]
		ssl_conf = ssl_sect

		[ssl_sect]
		system_default = system_default_sect

		[system_default_sect]
		MinProtocol = TLSv1.2
		CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
		Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256

		Options = PrioritizeChaCha

with that^^ config, message submit 

	cat ~/test.eml | msmtp -a internal testrecipient at example.net

to dovecot:60465 succeeds.  postfix logs report no probs,

	Sep 23 13:43:36 mx postfix/submit-from-dovecot-proxy/smtpd[27325]: connect from internal.mx.example.com[10.0.1.50]
	Sep 23 13:43:36 mx postfix/submit-from-dovecot-proxy/smtpd[27325]: Trusted TLS connection established from internal.mx.example.com[10.0.1.50]: TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384
	Sep 23 13:43:36 mx postfix/submit-from-dovecot-proxy/smtpd[27325]: 4BxVWX41svzWf7g: client=internal.mx.example.com[10.0.1.50]
	Sep 23 13:43:36 mx postfix/qmgr[27295]: 4BxVWX41svzWf7g: from=<testsender at example.com>, size=583, nrcpt=1 (queue active)
	Sep 23 13:43:36 mx postfix/submit-from-dovecot-proxy/smtpd[27325]: disconnect from internal.mx.example.com[10.0.1.50] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
	Sep 23 13:43:36 mx postfix/lmtp[27329]: 4BxVWX41svzWf7g: to=<testrecipient at example.net>, relay=mx.example.com[private/dovecot-lmtp], delay=0.03, delays=0.01/0.01/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 <testrecipient at example.net> kPB/Iniza1/YaQAA+IOfAw Saved)
	Sep 23 13:43:36 mx postfix/qmgr[27295]: 4BxVWX41svzWf7g: removed

and the message _is_ delivered to final destination without error. mail flows -- in- & out-bound -- without interruption.


OTOH, if, as mentioned above, I simply change

-		Options = PrioritizeChaCha
+		Options = ServerPreference,PrioritizeChaCha

, then otherwise-identical submission to dovecot:60465 fails,

	cat ~/test.eml | msmtp -a internal testrecipient at example.net
		msmtp: envelope from address testsender at example.com not accepted by the server
		msmtp: server message: 421 4.4.0 internal.mx.example.com Failed to establish relay connection
		msmtp: could not send mail (account internal from /etc/msmtprc)

and in postfix logs,

	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: connect from internal.mx.example.com[10.0.1.50]
	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: setting up TLS connection from internal.mx.example.com[10.0.1.50]
	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: internal.mx.example.com[10.0.1.50]: TLS cipher list "TTLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:!aNULL"
	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: SSL_accept:before SSL initialization
	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: SSL_accept:error in error
	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: SSL_accept error from internal.mx.example.com[10.0.1.50]: -1
	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:
	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: lost connection after CONNECT from internal.mx.example.com[10.0.1.50]
	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: disconnect from internal.mx.example.com[10.0.1.50] commands=0/0


iiuc (?) that^^ _is_ an ssl error, reported by postfix, and preventing the send 'tween dovecot & postfix.

1st, is there any reason to expect that use of "Options = ServerPreference" should _not_ work here?

If not, then what's a likely cause of the problem?  At this point, I'm not clear if this is postfix, dovecot, openssl, or some combo.

&/or, what additional info's required to determine further?

More information about the openssl-users mailing list