Date: 22 Nov 2007 03:39:01 -0000 From: Andrew Reilly <areilly@bigpond.net.au> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/118198: qmail-tls port missing openssl cipher list installation Message-ID: <20071122033901.17412.qmail@areilly.bpa.nu> Resent-Message-ID: <200711221450.lAMEo2TK066174@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 118198 >Category: ports >Synopsis: qmail-tls port missing openssl cipher list installation >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Nov 22 14:50:01 UTC 2007 >Closed-Date: >Last-Modified: >Originator: Andrew Reilly >Release: FreeBSD 7.0-BETA3 amd64 >Organization: >Environment: System: FreeBSD duncan.reilly.home 7.0-BETA3 FreeBSD 7.0-BETA3 #1: Sun Nov 18 04:20:31 EST 2007 root@duncan:/usr/obj/usr/src/sys/DUNCAN amd64 Machine is a 1GB Athlon64-X2 running SMP, but I don't think that matters here. Port version is: qmail-tls-1.03.20021228_1 installed november 19, based on then-current ports tree. >Description: Installed /usr/ports/mail/qmail-tls (fixed as per ports/118117) and think that all is fine, but a bunch of missing mail prompted me to point first tcpdump and then openssl s_client at the new server, whereupon it became obvious that actual attempts to *use* the STARTTLS facility resulted in the ssl session dying with a message like: 2472:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:596: Investigation with google found this pertinent web page: http://www.shupp.org/toaster/?page=test which contained a description of the problem (which apparently happened on Debian Linux too) and the following fix, which works for me. >How-To-Repeat: cd /usr/ports/mail/qmail-tls make install # edit /usr/local/openssl/openssl.cnf to suit make certificate openssl s_client -debug -crlf -starttls smtp -connect localhost:25 # notice that connection terminates immediately and #error message noted above is last thing displayed. >Fix: Per the toaster page: openssl ciphers > /var/qmail/control/tlsclientciphers openssl ciphers > /var/qmail/control/tlsserverciphers the s_client session described above now leaves you talking SMTP over the SSL link. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071122033901.17412.qmail>