ports/118198: qmail-tls port missing openssl cipher list installation

Andrew Reilly areilly at bigpond.net.au
Thu Nov 22 14:50:02 UTC 2007 

>Number:         118198
>Category:       ports
>Synopsis:       qmail-tls port missing openssl cipher list installation
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 22 14:50:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Andrew Reilly
>Release:        FreeBSD 7.0-BETA3 amd64
>Organization:
>Environment:
System: FreeBSD duncan.reilly.home 7.0-BETA3 FreeBSD 7.0-BETA3 #1: Sun Nov 18 04:20:31 EST 2007 root at duncan:/usr/obj/usr/src/sys/DUNCAN amd64


        Machine is a 1GB Athlon64-X2 running SMP, but I
        don't think that matters here.  Port version is:
        qmail-tls-1.03.20021228_1 installed november 19, based
        on then-current ports tree.

>Description:
        Installed /usr/ports/mail/qmail-tls (fixed as per
        ports/118117) and think that all is fine, but a bunch
        of missing mail prompted me to point first tcpdump and
        then openssl s_client at the new server, whereupon
        it became obvious that actual attempts to *use* the
        STARTTLS facility resulted in the ssl session dying with
        a message like:

2472:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:596:

	Investigation with google found this pertinent web page:
	http://www.shupp.org/toaster/?page=test
        which contained a description of the problem (which
        apparently happened on Debian Linux too) and the
        following fix, which works for me.

>How-To-Repeat:
	cd /usr/ports/mail/qmail-tls
	make install
	# edit /usr/local/openssl/openssl.cnf to suit
	make certificate
	openssl s_client -debug -crlf -starttls smtp -connect localhost:25
        # notice that connection terminates immediately and
        #error message noted above is last thing displayed.

>Fix:

	Per the toaster page:
	openssl ciphers > /var/qmail/control/tlsclientciphers
	openssl ciphers > /var/qmail/control/tlsserverciphers

        the s_client session described above now leaves you
        talking SMTP over the SSL link.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list