On 06/12/2013 02:35 PM, Kurt Roeckx wrote:
This start a succesful (TLSv1) connection for me:
openssl s_client -connect mail.megacontractinginc.com:25 -starttls smtp -crlf
But I can reproduce some weird behaviour with it that goes away
when I use -no_tls1_2.
Kurt
Found another example.
GnuTLS negotiates the same cipher as openssl would with only TLSv1 enabled.
$ swaks -f someth...@something.net -t dfgd...@example.com -s
mail.acsgs.com -tls
=== Trying mail.acsgs.com:25...
=== Connected to mail.acsgs.com.
<- 220 acsgsemail1.acsgs.com Microsoft ESMTP MAIL Service, Version:
6.0.3790.4675 ready at Wed, 12 Jun 2013 15:18:43 -0600
-> EHLO nws.gedalya.net
<- 250-acsgsemail1.acsgs.com Hello [xx.xx.xx.xx]
<- 250-TURN
<- 250-SIZE
<- 250-ETRN
<- 250-PIPELINING
<- 250-DSN
<- 250-ENHANCEDSTATUSCODES
<- 250-8bitmime
<- 250-BINARYMIME
<- 250-CHUNKING
<- 250-VRFY
<- 250-TLS
<- 250-STARTTLS
<- 250-X-EXPS GSSAPI NTLM
<- 250-AUTH GSSAPI NTLM
<- 250-X-LINK2STATE
<- 250-XEXCH50
<- 250 OK
-> STARTTLS
<- 220 2.0.0 SMTP server ready
=== TLS started w/ cipher DES-CBC3-SHA
=== TLS peer subject DN="/C=US/ST=Utah/L=Sandy/O=Affiliated Computer
Services/OU=Global Services/CN=mail.acsgs.com"
~> EHLO nws.gedalya.net
<~ 250-acsgsemail1.acsgs.com Hello [xx.xx.xx.xx]
<~ 250-TURN
<~ 250-SIZE
<~ 250-ETRN
<~ 250-PIPELINING
<~ 250-DSN
<~ 250-ENHANCEDSTATUSCODES
<~ 250-8bitmime
<~ 250-BINARYMIME
<~ 250-CHUNKING
<~ 250-VRFY
<~ 250-X-EXPS GSSAPI NTLM LOGIN
<~ 250-X-EXPS=LOGIN
<~ 250-AUTH GSSAPI NTLM LOGIN
<~ 250-AUTH=LOGIN
<~ 250-X-LINK2STATE
<~ 250-XEXCH50
<~ 250 OK
~> MAIL FROM:<someth...@something.net>
*** Remote host closed connection unexpectedly.
$ openssl s_client -connect mail.acsgs.com:25 -starttls smtp -crlf
CONNECTED(00000003)
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
Terms of use at https://www.verisign.com/rpa (c)05, CN = VeriSign Class
3 Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=Utah/L=Sandy/O=Affiliated Computer Services/OU=Global
Services/CN=mail.acsgs.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFEzCCA/ugAwIBAgIQc/v1FFQpqdbVOIy00Zd9vDANBgkqhkiG9w0BAQUFADCB
......
EXVDfqHCvw==
-----END CERTIFICATE-----
subject=/C=US/ST=Utah/L=Sandy/O=Affiliated Computer Services/OU=Global
Services/CN=mail.acsgs.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3076 bytes and written 545 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID:
7505000001B9853811768E688C104416E731661E9846180362564B8460685E82
Session-ID-ctx:
Master-Key:
DA18807E33A53A66DB57339E5D68F1F0FAB1675980AEC6ADF4472D4DB987D993ED18EF1BDF39B0369F2535E2D691B492
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1371072152
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 OK
EHLO nws.gedalya.net
250-acsgsemail1.acsgs.com Hello [xx.xx.xx.xx]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
139789032576680:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number:s3_pkt.c:337:
$ gnutls-cli --crlf -s -p 25 mail.acsgs.com
WARNING: gnome-keyring:: couldn't connect to:
/home/jedi/.cache/keyring-V3kT53/pkcs11: No such file or directory
Resolving 'mail.acsgs.com'...
Connecting to '216.115.162.156:25'...
- Simple Client Mode:
220 acsgsemail1.acsgs.com Microsoft ESMTP MAIL Service, Version:
6.0.3790.4675 ready at Wed, 12 Jun 2013 15:23:10 -0600
EHLO nws.gedalya.net
250-acsgsemail1.acsgs.com Hello [xx.xx.xx.xx]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-TLS
250-STARTTLS
250-X-EXPS GSSAPI NTLM
250-AUTH GSSAPI NTLM
250-X-LINK2STATE
250-XEXCH50
250 OK
STARTTLS
220 2.0.0 SMTP server ready
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `C=US,ST=Utah,L=Sandy,O=Affiliated Computer
Services,OU=Global Services,CN=mail.acsgs.com', issuer
`C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at
https://www.verisign.com/rpa (c)05,CN=VeriSign Class 3 Secure Server
CA', RSA key 1024 bits, signed using RSA-SHA1, activated `2008-07-30
00:00:00 UTC', expires `2010-07-30 23:59:59 UTC', SHA-1 fingerprint
`766cb36ca76254171dab4ff747b413f974b8d2c6'
- Certificate[1] info:
- subject `C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms
of use at https://www.verisign.com/rpa (c)05,CN=VeriSign Class 3 Secure
Server CA', issuer `C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority', RSA key 2048 bits, signed using RSA-SHA1,
activated `2005-01-19 00:00:00 UTC', expires `2015-01-18 23:59:59 UTC',
SHA-1 fingerprint `188590e94878478e33b6194e59fbbb28ff0888d5'
- The hostname in the certificate matches 'mail.acsgs.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: ARCFOUR-128
- MAC: MD5
- Compression: NULL
EHLO nws.gedalya.net
250-acsgsemail1.acsgs.com Hello [xx.xx.xx.xx]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
MAIL FROM:<someth...@something.net>
250 2.1.0 someth...@something.net....Sender OK
RCPT TO:<sggsdf...@example.com>
550 5.7.1 Unable to relay for sggsdf...@example.com
QUIT
221 2.0.0 acsgsemail1.acsgs.com Service closing transmission channel
*** Fatal error: A TLS packet with unexpected length was received.
*** Server has terminated the connection abnormally.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
