OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: TLS handshake error why ?

From: Victor Duchovni (Victor.Duchovnimorganstanley.com)
Date: Fri May 30 2008 - 08:33:12 CDT

On Fri, May 30, 2008 at 10:12:59AM +0200, Ethariel wrote:

> I've thougth about the discard_ehlo but it's for too many MTA. I really
> think I've got a misconfiguration, but can't figure which one :)

Your problem report is far too skimpy and anecdotal. You are not doing
the list a favour by sending only a brief summary of the problem.

Send one problem report that contains *detailed*, *unedited* information.

    - What version of OpenSSL are you using?
    - What version of Postfix?
    - Logs from a single problem session with "smtpd_tls_loglevel = 2"
    - URI for a binary session captured with "tcpdump -s 8192 -w /some/file",
      filtered to capture just the session of intereset with
      tcpdump -s 8192 -r /some/file -w /some/other/file ... filter ...
      where "filter" is a "tcpdump" expression that pulls out just one
      problem session.
    - Details of the server certificate from "openssl x509 -text" including
      the command used and its output.
    - Evidence that the cert and key match via output from below:

        $ openssl x509 -in "$cert" -x509toreq -signkey "$key" 2>/dev/null |
            openssl req -pubkey -noout 2>/dev/null |
            openssl dgst -sha1

        $ openssl rsa -in "$key" -pubout 2>/dev/null |
            openssl dgst -sha1

        (Replace "rsa" with "dsa" or "ec", in the for now very unlikely
         case that your key is not an RSA key, and having a non-RSA key/cert
         pair would likely explain your problem).
            
    - Full "postconf -n"

    - As much additional detail as may be relevant based on examining the
      requested evidence.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.