Re: sendmail: tlsv1 alert decode error

To: manu%netbsd.org@localhost (Emmanuel Dreyfus), tech-userlevel%netbsd.org@localhost
Subject: Re: sendmail: tlsv1 alert decode error
From: John Nemeth <jnemeth%cue.bc.ca@localhost>
Date: Tue, 17 Jun 2014 18:44:01 -0700

On Jun 17,  1:40pm, Emmanuel Dreyfus wrote:
} 
} After upgrading OpenSSL to 1.0.1g and 1.0.1h, sendmail started
} producing this error when sending messages to some sites:
} 
} Jun 17 05:47:47 merteuil sendmail[14089]: STARTTLS=client, error: connect 
failed=-1, reason=tlsv1 alert decode error, SSL_error=1, errno=0, retry=-1
} 
} After some investigation, it seems that the TLS padding extension, which 
} was introduced in OpenSSL 1.0.1g, is the culprit. There are a few workarounds:
} 
} (1) Force SSLv3, which cannot use the option. This does not require any
} code change but is not very appealing.
} 
} (2) Disable the TLS padding extension in libssl, which is done by this patch:
} https://ftp.espci.fr/shadow/manu/libssl-padding.patch
} I tested that it builds, but not that it works
} 
} (3) Let the client disable it. In Sendmail case, this requires a patch:
} https://ftp.espci.fr/shadow/manu/patch-sendmail_readcf.c
} Then (provided it was built with _FFR_TLS_1, which is pkgsrc option 
} sendmail-ffr-tls), this can be used in sendmail.cf: 
} O ClientSSLOptions=-SSL_OP_TLSEXT_PADDING

     Although not a sendmail issue per se, it is an interoperability
issue, so it will be in the next sendmail package update.

}-- End of excerpt from Emmanuel Dreyfus

Follow-Ups:
- Re: sendmail: tlsv1 alert decode error
  - From: Emmanuel Dreyfus

References:
- sendmail: tlsv1 alert decode error
  - From: Emmanuel Dreyfus

Prev by Date: Re: sed -u option
Next by Date: Re: sendmail: tlsv1 alert decode error
Previous by Thread: sendmail: tlsv1 alert decode error
Next by Thread: Re: sendmail: tlsv1 alert decode error
Indexes:

Home | Main Index | Thread Index | Old Index