[Pkg-openssl-devel] Bug#706423: Bug#706423: openssl: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:

Kurt Roeckx kurt at roeckx.be
Fri May 3 17:27:59 UTC 2013 

On Mon, Apr 29, 2013 at 11:38:31PM -0400, Dave Anglin wrote:
> Package: openssl
> Version: 1.0.1e-2
> Severity: normal
> 
> With version 1.0.e-2, EHLO handshake fails and connections are deferred:
> 
> Apr 29 22:41:56 mx3210 postfix/smtp[29733]: Trusted TLS connection established to smtphm.sympatico.ca[65.55.172.251]:25: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
> Apr 29 22:41:56 mx3210 postfix/smtp[29733]: warning: TLS library problem: 29733:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
> Apr 29 22:41:56 mx3210 postfix/smtp[29733]: 0003A5F7F6: to=<dave.anglin at bell.net>, orig_to=<root>, relay=smtphm.sympatico.ca[65.55.172.251]:25, delay=13914, del
> ays=13898/0.38/15/0, dsn=4.4.2, status=deferred (lost connection with smtphm.sympatico.ca[65.55.172.251] while performing the EHLO handshake)
> 
> Version 1.0.0g-1 works:
> Apr 29 23:26:55 mx3210 postfix/smtp[11360]: Trusted TLS connection established to smtphm.sympatico.ca[65.55.172.251]:25: TLSv1 with cipher RC4-MD5 (128/128 bits)
> Apr 29 23:26:58 mx3210 postfix/smtp[11360]: 5B1EF5F806: to=<dave.anglin at bell.net>, relay=smtphm.sympatico.ca[65.55.172.251]:25, delay=623, delays=605/0.26/16/1.4, dsn=2.6.0, status=sent (250 2.6.0  <20130430031634.GA4582 at mx3210.hia.nrc.ca> Queued mail for delivery)

It works for me.

Can you reproduce this with:
openssl s_client -starttls smtp -connect smtphm.sympatico.ca:25

I notice that it's running a rather old version of exchange, and
I've seen various problems with old microsoft products and
announcing that you support a newer version of the TLS protocol
then they support.

If that is the problem, the only way to work around this is to
force an older version of the TLS protocol.

postfix seems to have this by default:
smtp_tls_protocols = !SSLv2

Try setting:
smtp_tls_protocols = TLS1

(The documentation isn't really clear on what the valid options
are.)


Kurt

More information about the Pkg-openssl-devel mailing list