[Bug 875639] New: OpenSSL 1.0.1g TLSEXT_TYPE_padding causes Ironport SMTP appliances interop issue
https://bugzilla.novell.com/show_bug.cgi?id=875639 https://bugzilla.novell.com/show_bug.cgi?id=875639#c0 Summary: OpenSSL 1.0.1g TLSEXT_TYPE_padding causes Ironport SMTP appliances interop issue Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: x86-64 OS/Version: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: walter.haidinger@gmx.at QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 Last upgrade to openssl-1.0.1g-11.36.1.x86_64 broke SSL connections to some services, e.g. Cisco Ironport SMTP appliances. 1.0.1g not only fixes the Heartbleed bug but also adds another change by adding: #define TLSEXT_TYPE_padding 21 This in turn breaks SSL connections to e.g. Ironports, probably others: SSL23_GET_SERVER_HELLO:tlsv1 alert decode error Workaround: Force protocol to SSLv3 or recompile without the define above. For details, please refer to: postfix.1071664.n5.nabble.com/OpenSSL-1-0-1g-and-Ironport-SMTP-appliances-interop-issue-td66873.html Reproducible: Always Steps to Reproduce: 1. openssl s_client -connect some.ironport.com:25 -starttls smtp Note: Send me an email for a hostname of an Ironport SMTP appliance to test with. I don't want to disclose it here. Actual Results: CONNECTED(00000003) 139718758192784:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:762: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 129 bytes and written 552 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Expected Results: CONNECTED(00000003) --- Certificate chain [...cut...] New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 [...cut..-] 250 STARTTLS -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=875639
https://bugzilla.novell.com/show_bug.cgi?id=875639#c1
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=875639
https://bugzilla.novell.com/show_bug.cgi?id=875639#c2
--- Comment #2 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=875639
https://bugzilla.novell.com/show_bug.cgi?id=875639#c3
--- Comment #3 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=875639
https://bugzilla.novell.com/show_bug.cgi?id=875639#c4
--- Comment #4 from Marcus Meissner
I'm trying to get that information from the IronPort team. In the mean time, this bug report appears to have some details:
Sadly, this requires a login. The bug is however referenced in a non-paywalled document: http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-0/release_notes/E... Table 1 Resolved Issues in This Release ------------------------------------------ Defect ID Description ------------------------------------------ ... ------------------------------------------ CSCuo25329 Machines installed with OpenSSL 1.0.1g patch fail to connect with Cisco Email Security Appliance. ------------------------------------------ The PDF contains a link to: http://www.cisco.com/c/en/us/support/security/email-security-appliance/produ... which seems like the right place to start looking for fixes, so far it seems that 8.0 is the only release with a fix, not clear whether any others need it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=875639
https://bugzilla.novell.com/show_bug.cgi?id=875639#c5
--- Comment #5 from Walter Haidinger
https://bugzilla.novell.com/show_bug.cgi?id=875639
https://bugzilla.novell.com/show_bug.cgi?id=875639#c6
Marcus Meissner
participants (1)
-
bugzilla_noreply@novell.com