[Pkg-openssl-devel] Bug#838765: openssl: Last upgrade broke TLS for Outlook under XP

DaB. debian at daniel.baur4.info
Fri Sep 23 12:57:13 UTC 2016 

Package: openssl
Version: 1.0.1t-1+deb8u4
Severity: normal

Dear Maintainer,

tonights update of OpenSSL (1.0.1t-1+deb8u3, 1.0.1t-1+deb8u4) broke the
connection between an Outlook 2007 (12.0.6744.500) under Windows XP and 
a postfix under Debian.

See the following log of a connection-try:

-- beginn ---

Sep 23 11:26:42 hermes postfix/smtpd[30240]: setting up TLS connection from
X.Y.Z.invalid[10.X.Y.Z]
Sep 23 11:26:42 hermes postfix/smtpd[30240]:
X.Y.Z.invalid[10.X.Y.Z]: TLS cipher list
"aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
Sep 23 11:26:42 hermes postfix/smtpd[30240]: SSL_accept:before/accept
initialization
Sep 23 11:26:42 hermes postfix/smtpd[30240]: SSL3 alert
write:fatal:handshake failure
Sep 23 11:26:42 hermes postfix/smtpd[30240]: SSL_accept:error in error
Sep 23 11:26:42 hermes postfix/smtpd[30240]: SSL_accept:error in error
Sep 23 11:26:42 hermes postfix/smtpd[30240]: SSL_accept error from
X.Y.Z.invalid[10.X.Y.Z]: -1
Sep 23 11:26:42 hermes postfix/smtpd[30240]: warning: TLS library problem:
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:s3_srvr.c:1440:
Sep 23 11:26:42 hermes postfix/smtpd[30240]: lost connection after STARTTLS
from X.Y.Z.invalid[10.X.Y.Z]

-- end ---

The connection worked fine yesterday and no change was done at Outlook or
Postfix.

The TSL-config in postfix is the following (shortened):

-- beginn ---

smtpd_use_tls=yes
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1

smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3

tls_preempt_cipherlist      = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_ciphers           = medium

smtp_tls_mandatory_ciphers  = $smtpd_tls_mandatory_ciphers
smtp_tls_ciphers            = $smtpd_tls_ciphers

smtpd_tls_eecdh_grade = strong

-- end ---


Of course I’m willing to submit further information if needed.

Sincererly,
DaB.

-- System Information:
Debian Release: 8.4
  APT prefers oldstable
  APT policy: (900, 'oldstable'), (400, 'stable'), (301, 'oldoldstable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to de_DE.UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: sysvinit (via /sbin/init)

Versions of packages openssl depends on:
ii  libc6        2.19-18+deb8u4
ii  libssl1.0.0  1.0.1t-1+deb8u4

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20130119+deb7u1

-- no debconf information

More information about the Pkg-openssl-devel mailing list