TLS handshake fails ("SSL_accept:error in error") for server->server connection (smtp submit dovecot->postfix) if /etc/pki/tls/openssl.cnf "Options=" includes 'ServerPreference' ?

Viktor Dukhovni openssl-users at dukhovni.org
Thu Sep 24 08:19:10 UTC 2020


On Wed, Sep 23, 2020 at 02:11:50PM -0700, PGNet Dev wrote:

> 	/etc/pki/tls/openssl.cnf
> 		openssl_conf = default_conf
> 
> 		[default_conf]
> 		ssl_conf = ssl_sect
> 
> 		[ssl_sect]
> 		system_default = system_default_sect
> 
> 		[system_default_sect]
> 		MinProtocol = TLSv1.2
> 		CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
> 		Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
> 
> 		Options = PrioritizeChaCha

Distros have gotten rather enthusiastic of late to turn up the crypto to
11.  This does not always yield good results. :-(  I'd be tempted to
drop most if not all of those settings, they're not email-friendly.

> OTOH, if, as mentioned above, I simply change
> 
> -		Options = PrioritizeChaCha
> +		Options = ServerPreference,PrioritizeChaCha
> 
> , then otherwise-identical submission to dovecot:60465 fails,
> 
> and in postfix logs,
> 
> 	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: connect from internal.mx.example.com[10.0.1.50]
> 	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: setting up TLS connection from internal.mx.example.com[10.0.1.50]
> 	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: internal.mx.example.com[10.0.1.50]: TLS cipher list "TTLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:!aNULL"
> 	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: SSL_accept:before SSL initialization
> 	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: SSL_accept:error in error
> 	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: SSL_accept error from internal.mx.example.com[10.0.1.50]: -1
> 	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:
> 	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: lost connection after CONNECT from internal.mx.example.com[10.0.1.50]
> 	Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: disconnect from internal.mx.example.com[10.0.1.50] commands=0/0

That's rather more verbose than default Postfix TLS logging, I hope it
is temporary.  Are you sure the third line is copied correctly into
your post?

> 	Sep 23 13:45:42 mx
> 	postfix/submit-from-dovecot-proxy/smtpd[27011]:
> 	internal.mx.example.com[10.0.1.50]: TLS cipher list
> 	"TTLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:!aNULL"

That cipherlist, has an extra "T" in front of the TLS 1.3 ChaCha cipher,
that should not be there...  Also, Postfix has no knowledge of TLS 1.3
cipher suites, Postfix has only cipher configuration knobs only for the
TLS <= 1.2 ciphers, so I don't know how that particular string ended up
in your logs.

Is there something in your Postfix configuration that resembles that
particular blob?  If so, it should not be there...

-- 
    Viktor.


More information about the openssl-users mailing list