TLS handshake fails ("SSL_accept:error in error") for server->server connection (smtp submit dovecot->postfix) if /etc/pki/tls/openssl.cnf "Options=" includes 'ServerPreference' ?
PGNet Dev
pgnet.dev at gmail.com
Wed Sep 23 21:11:50 UTC 2020
i've got two servers communicating over ssl.
comms between them work if
/etc/pki/tls/openssl.cnf
includes
Options = PrioritizeChaCha
but fail if 'ServerPreference'
(cref:
Undocumented openssl.cnf options and PrioritizeChaCha
https://blog.germancoding.com/2020/05/30/undocumented-openssl-cnf-options-and-prioritizechacha/
man SSL_CONF_cmd
ServerPreference: use server and not client preference order when determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection. Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers.
)
is added,
Options = ServerPreference,PrioritizeChaCha
i'm trying to understand expected behavior, and troubleshoot
the 2 servers are
postconf mail_version
mail_version = 3.5.7
dovecot --version
2.3.10.1 (a3d0e1171)
they're on the same machine, which runs
grep PRETTY /etc/os-release
PRETTY_NAME="Fedora 32 (Server Edition)"
openssl version
OpenSSL 1.1.1g FIPS 21 Apr 2020
dovecot's configured to listen for SMTP submissions on its own submission proxy port 60465
dovecot then re-submits the message to postfix, on submission port 465.
the openssl cnf containts
/etc/pki/tls/openssl.cnf
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
Options = PrioritizeChaCha
with that^^ config, message submit
cat ~/test.eml | msmtp -a internal testrecipient at example.net
to dovecot:60465 succeeds. postfix logs report no probs,
Sep 23 13:43:36 mx postfix/submit-from-dovecot-proxy/smtpd[27325]: connect from internal.mx.example.com[10.0.1.50]
Sep 23 13:43:36 mx postfix/submit-from-dovecot-proxy/smtpd[27325]: Trusted TLS connection established from internal.mx.example.com[10.0.1.50]: TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384
Sep 23 13:43:36 mx postfix/submit-from-dovecot-proxy/smtpd[27325]: 4BxVWX41svzWf7g: client=internal.mx.example.com[10.0.1.50]
Sep 23 13:43:36 mx postfix/qmgr[27295]: 4BxVWX41svzWf7g: from=<testsender at example.com>, size=583, nrcpt=1 (queue active)
Sep 23 13:43:36 mx postfix/submit-from-dovecot-proxy/smtpd[27325]: disconnect from internal.mx.example.com[10.0.1.50] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 23 13:43:36 mx postfix/lmtp[27329]: 4BxVWX41svzWf7g: to=<testrecipient at example.net>, relay=mx.example.com[private/dovecot-lmtp], delay=0.03, delays=0.01/0.01/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 <testrecipient at example.net> kPB/Iniza1/YaQAA+IOfAw Saved)
Sep 23 13:43:36 mx postfix/qmgr[27295]: 4BxVWX41svzWf7g: removed
and the message _is_ delivered to final destination without error. mail flows -- in- & out-bound -- without interruption.
OTOH, if, as mentioned above, I simply change
- Options = PrioritizeChaCha
+ Options = ServerPreference,PrioritizeChaCha
, then otherwise-identical submission to dovecot:60465 fails,
cat ~/test.eml | msmtp -a internal testrecipient at example.net
msmtp: envelope from address testsender at example.com not accepted by the server
msmtp: server message: 421 4.4.0 internal.mx.example.com Failed to establish relay connection
msmtp: could not send mail (account internal from /etc/msmtprc)
and in postfix logs,
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: connect from internal.mx.example.com[10.0.1.50]
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: setting up TLS connection from internal.mx.example.com[10.0.1.50]
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: internal.mx.example.com[10.0.1.50]: TLS cipher list "TTLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:!aNULL"
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: SSL_accept:before SSL initialization
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: SSL_accept:error in error
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: SSL_accept error from internal.mx.example.com[10.0.1.50]: -1
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: lost connection after CONNECT from internal.mx.example.com[10.0.1.50]
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: disconnect from internal.mx.example.com[10.0.1.50] commands=0/0
iiuc (?) that^^ _is_ an ssl error, reported by postfix, and preventing the send 'tween dovecot & postfix.
1st, is there any reason to expect that use of "Options = ServerPreference" should _not_ work here?
If not, then what's a likely cause of the problem? At this point, I'm not clear if this is postfix, dovecot, openssl, or some combo.
&/or, what additional info's required to determine further?
More information about the openssl-users
mailing list