OpenSSL 1.1.1 Windows dependencies
David Harris
openssl at pmail.gen.nz
Sat Oct 22 15:02:26 UTC 2022
On 21 Oct 2022 at 13:50, Michael Wojcik via openssl-users wrote:
> > That was my initial thought too, except that if it were
> > firewall-related, the initial port 587 connection would be blocked,
> > and it isn't - the failure doesn't happen until after STARTTLS has
> > been issued.
>
> Not necessarily. That's true for a first-generation port-blocking
> firewall, but not for a packet-inspecting one. There are organizations
> which use packet-inspecting firewalls to block STARTTLS because they
> enforce their own TLS termination, in order to inspect all incoming
> traffic for malicious content and outgoing traffic for exfiltration.
I now have wireshark captures showing the exchanges between the working
instance and the non-working instance respectively; the problem is definitely
happening after STARTTLS has been issued and during the TLS handshake.
I'm not high-level enough to be able to make any sense of the negotiation data
though. The wireshark capture is quite short (22 items in the list) and I don't
mind making it available if it would be useful to anyone.
> > Furthermore, the OpenSSL
> > configuration is identical between the systems/combinations of
> > OpenSSL that work and those that don't.
>
> Do you know that for certain? There's no openssl.cnf from some other
> source being picked up on the non-working system?
I'm pretty certain, but I'll get the customer to double-check.
Cheers!
-- David --
More information about the openssl-users
mailing list