Mailinglist Archive: opensuse-bugs (2150 mails)

< Previous Next >
[Bug 875639] New: OpenSSL 1.0.1g TLSEXT_TYPE_padding causes Ironport SMTP appliances interop issue
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Tue, 29 Apr 2014 11:44:13 +0000
  • Message-id: <bug-875639-21960@http.bugzilla.novell.com/>

https://bugzilla.novell.com/show_bug.cgi?id=875639

https://bugzilla.novell.com/show_bug.cgi?id=875639#c0


Summary: OpenSSL 1.0.1g TLSEXT_TYPE_padding causes Ironport
SMTP appliances interop issue
Classification: openSUSE
Product: openSUSE 13.1
Version: Final
Platform: x86-64
OS/Version: openSUSE 13.1
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
AssignedTo: security-team@xxxxxxx
ReportedBy: walter.haidinger@xxxxxx
QAContact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---


User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101
Firefox/29.0

Last upgrade to openssl-1.0.1g-11.36.1.x86_64 broke SSL connections to some
services, e.g. Cisco Ironport SMTP appliances.

1.0.1g not only fixes the Heartbleed bug but also adds another change by
adding:
#define TLSEXT_TYPE_padding 21

This in turn breaks SSL connections to e.g. Ironports, probably others:
SSL23_GET_SERVER_HELLO:tlsv1 alert decode error

Workaround: Force protocol to SSLv3 or recompile without the define above.

For details, please refer to:
postfix.1071664.n5.nabble.com/OpenSSL-1-0-1g-and-Ironport-SMTP-appliances-interop-issue-td66873.html


Reproducible: Always

Steps to Reproduce:
1. openssl s_client -connect some.ironport.com:25 -starttls smtp

Note: Send me an email for a hostname of an Ironport SMTP appliance to test
with. I don't want to disclose it here.
Actual Results:
CONNECTED(00000003)
139718758192784:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
decode error:s23_clnt.c:762:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 129 bytes and written 552 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---


Expected Results:
CONNECTED(00000003)
---
Certificate chain
[...cut...]
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
[...cut..-]
250 STARTTLS

--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >