sendmail: tlsv1 alert decode error

To: tech-userlevel%netbsd.org@localhost
Subject: sendmail: tlsv1 alert decode error
From: manu%netbsd.org@localhost (Emmanuel Dreyfus)
Date: Tue, 17 Jun 2014 13:40:21 +0200

Hi

After upgrading OpenSSL to 1.0.1g and 1.0.1h, sendmail started
producing this error when sending messages to some sites:

Jun 17 05:47:47 merteuil sendmail[14089]: STARTTLS=client, error: connect 
failed=-1, reason=tlsv1 alert decode error, SSL_error=1, errno=0, retry=-1

After some investigation, it seems that the TLS padding extension, which 
was introduced in OpenSSL 1.0.1g, is the culprit. There are a few workarounds:

(1) Force SSLv3, which cannot use the option. This does not require any
code change but is not very appealing.

(2) Disable the TLS padding extension in libssl, which is done by this patch:
https://ftp.espci.fr/shadow/manu/libssl-padding.patch
I tested that it builds, but not that it works

(3) Let the client disable it. In Sendmail case, this requires a patch:
https://ftp.espci.fr/shadow/manu/patch-sendmail_readcf.c
Then (provided it was built with _FFR_TLS_1, which is pkgsrc option 
sendmail-ffr-tls), this can be used in sendmail.cf: 
O ClientSSLOptions=-SSL_OP_TLSEXT_PADDING

I tested this latest workaround and it fixes the problem. I submitted
the change to Sendmail maintainers. 

What workaround should we us in NetBSD? (1) is not reasonable. (3)
is sendmail specific, which means others MTA will not benefit it, 
and we need (2). IMO we should check in both.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu%netbsd.org@localhost

Follow-Ups:
- Re: sendmail: tlsv1 alert decode error
  - From: John Nemeth

Prev by Date: Re: sed -u option
Next by Date: Re: sed -u option
Previous by Thread: Odd pigz behavior on build cluster - libpthread bug?
Next by Thread: Re: sendmail: tlsv1 alert decode error
Indexes:

Home | Main Index | Thread Index | Old Index