tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

sendmail: tlsv1 alert decode error



Hi

After upgrading OpenSSL to 1.0.1g and 1.0.1h, sendmail started
producing this error when sending messages to some sites:

Jun 17 05:47:47 merteuil sendmail[14089]: STARTTLS=client, error: connect 
failed=-1, reason=tlsv1 alert decode error, SSL_error=1, errno=0, retry=-1

After some investigation, it seems that the TLS padding extension, which 
was introduced in OpenSSL 1.0.1g, is the culprit. There are a few workarounds:

(1) Force SSLv3, which cannot use the option. This does not require any
code change but is not very appealing.

(2) Disable the TLS padding extension in libssl, which is done by this patch:
https://ftp.espci.fr/shadow/manu/libssl-padding.patch
I tested that it builds, but not that it works

(3) Let the client disable it. In Sendmail case, this requires a patch:
https://ftp.espci.fr/shadow/manu/patch-sendmail_readcf.c
Then (provided it was built with _FFR_TLS_1, which is pkgsrc option 
sendmail-ffr-tls), this can be used in sendmail.cf: 
O ClientSSLOptions=-SSL_OP_TLSEXT_PADDING

I tested this latest workaround and it fixes the problem. I submitted
the change to Sendmail maintainers. 

What workaround should we us in NetBSD? (1) is not reasonable. (3)
is sendmail specific, which means others MTA will not benefit it, 
and we need (2). IMO we should check in both.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu%netbsd.org@localhost


Home | Main Index | Thread Index | Old Index