Bug#706423: [Pkg-openssl-devel] Bug#706423: openssl: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:

Fri, 03 May 2013 10:30:17 -0700 

On Mon, Apr 29, 2013 at 11:38:31PM -0400, Dave Anglin wrote:
> Package: openssl
> Version: 1.0.1e-2
> Severity: normal
> 
> With version 1.0.e-2, EHLO handshake fails and connections are deferred:
> 
> Apr 29 22:41:56 mx3210 postfix/smtp[29733]: Trusted TLS connection 
> established to smtphm.sympatico.ca[65.55.172.251]:25: TLSv1 with cipher 
> DES-CBC3-SHA (168/168 bits)
> Apr 29 22:41:56 mx3210 postfix/smtp[29733]: warning: TLS library problem: 
> 29733:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version 
> number:s3_pkt.c:337:
> Apr 29 22:41:56 mx3210 postfix/smtp[29733]: 0003A5F7F6: 
> to=<dave.ang...@bell.net>, orig_to=<root>, 
> relay=smtphm.sympatico.ca[65.55.172.251]:25, delay=13914, del
> ays=13898/0.38/15/0, dsn=4.4.2, status=deferred (lost connection with 
> smtphm.sympatico.ca[65.55.172.251] while performing the EHLO handshake)
> 
> Version 1.0.0g-1 works:
> Apr 29 23:26:55 mx3210 postfix/smtp[11360]: Trusted TLS connection 
> established to smtphm.sympatico.ca[65.55.172.251]:25: TLSv1 with cipher 
> RC4-MD5 (128/128 bits)
> Apr 29 23:26:58 mx3210 postfix/smtp[11360]: 5B1EF5F806: 
> to=<dave.ang...@bell.net>, relay=smtphm.sympatico.ca[65.55.172.251]:25, 
> delay=623, delays=605/0.26/16/1.4, dsn=2.6.0, status=sent (250 2.6.0  
> <20130430031634.ga4...@mx3210.hia.nrc.ca> Queued mail for delivery)

It works for me.

Can you reproduce this with:
openssl s_client -starttls smtp -connect smtphm.sympatico.ca:25

I notice that it's running a rather old version of exchange, and
I've seen various problems with old microsoft products and
announcing that you support a newer version of the TLS protocol
then they support.

If that is the problem, the only way to work around this is to
force an older version of the TLS protocol.

postfix seems to have this by default:
smtp_tls_protocols = !SSLv2

Try setting:
smtp_tls_protocols = TLS1

(The documentation isn't really clear on what the valid options
are.)


Kurt


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to