After updating OpenSSL to 0.9.8n (the problem probably exists in 0.9.8m as well), Postfix started rejecting STARTTLS connections with the following errors: [postfix/smtpd] connect from [...] [postfix/smtpd] setting up TLS connection from [...] [postfix/smtpd] SSL_accept error from [...]: -1 [postfix/smtpd] warning: TLS library problem: 5864:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146: [postfix/smtpd] lost connection after STARTTLS from [...] [postfix/smtpd] disconnect from [...] The server certificate is signed with sha256WithRSAEncryption. According to the Debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573748 Postfix doesn't load support for SHA-256. As suggested in that bug report, adding a call to OpenSSL_add_all_algorithms() solves the problem. Reproducible: Always Steps to Reproduce: Portage 2.2_rc67 (hardened/linux/x86/10.0, gcc-4.3.4, glibc-2.11-r1, 2.6.29-hardened i686) ================================================================= System uname: Linux-2.6.29-hardened-i686-AMD_Athlon-tm-_Processor-with-gentoo-2.0.1 Timestamp of tree: Mon, 05 Apr 2010 00:45:02 +0000 ccache version 2.4 [enabled] app-shells/bash: 4.1_p2-r1 dev-lang/python: 2.5.4-r4, 2.6.5-r1, 3.1.2-r1 dev-python/pycrypto: 2.1.0 dev-util/ccache: 2.4-r8 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.1-r1 sys-apps/sandbox: 2.2 sys-devel/autoconf: 2.13, 2.65 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1 sys-devel/gcc: 3.4.6-r2, 4.3.4-r2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.33 ACCEPT_KEYWORDS="x86 ~x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-ggdb -march=athlon -O2 -pipe -fweb -ftracer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-ggdb -march=athlon -O2 -pipe -fweb -ftracer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--alphabetical" FEATURES="assume-digests buildpkg ccache distlocks fixpackages news nostrip parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.gentoo.se http://gentoo.oregonstate.edu http://www.ibiblio.org/pub/Linux/distributions/gentoo" LDFLAGS="-Wl,-O1" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/hardened-development /usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="3dnow aac acl alsa bash-completion berkdb bzip2 cli cracklib crypt cups cxx dri emacs flac gdbm gpm hardened iconv idn ipv6 logrotate mmx modules mp3 mudflap ncurses nis nls nptl nptlonly ogg openmp pam pcre perl pic pppd python readline reflection sasl session spl ssl sysfs tcpd unicode urandom vorbis x86 xorg zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 intel mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa via vmware voodoo" Unset: CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Created attachment 226605 [details, diff] Patch to add calls to OpenSSL_add_all_algorithms() in src/tls/tls_{server,client}.c.
I'm hit by this bug too. There is some discussion about it at debian bugzilla: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573748
(In reply to comment #1) > Created an attachment (id=226605) [details] > Patch to add calls to OpenSSL_add_all_algorithms() in > src/tls/tls_{server,client}.c. Was asked on postfix-users ML. Reply: http://marc.info/?l=postfix-users&m=126929279515251&w=2 Whole thread: http://marc.info/?l=postfix-users&m=126858092711015&w=2 I am not sure if patching postfix is the correct solution in this case.
(In reply to comment #3) > Was asked on postfix-users ML. Reply: > http://marc.info/?l=postfix-users&m=126929279515251&w=2 Yes, I saw that, but it makes no sense to me. It says "Prior to TLS 1.2, certificates that use SHA-2 are not valid", but my certificate has been working for two years, until I upgraded OpenSSL to 0.9.8n. Did they suddenly realise that they supported something out-of-spec and removed it? By the way, my web server also has a sha256WithRSAEncryption certificate, but that still works. Even "openssl s_client" has no problems, and reports: SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA No TLS 1.2 in sight. > I am not sure if patching postfix is the correct solution in this case. Possibly not, but it was the easiest and fastest way to get my mail server back up.
(In reply to comment #4) > Did they suddenly realise > that they supported something out-of-spec and removed it? It is OpenSSL that changed behaviour (between 0.9.8l and 0.9.8m I believe) not postfix. It now handles TLS versions properly. While, strictly speaking, Viktor Duchovni's "not valid" argument is correct, his refusal to incorporate the work around into postfix is the surprise here. Basically, he is trying to point the gun away from your foot. If you are an average postfix user, do not use X509 client certificates for access control. If you know what you are doing, well, do not use X509 client certificates for access control. Just do bilateral key management. And if you really must, you have the patch. PKI is such a mess and is not the way forward. Use public key fingerprints or GSSAPI (especially if you already use kerberos) if you are looking for something better than username/password. Hence, his refusal. Anyway, it is not my decison whether to include the patch or not.
(In reply to comment #5) > Basically, he is trying to point the gun away from your foot. If you are an > average postfix user, do not use X509 client certificates for access control. Now I really don't understand. What do client certificates have to do with this bug? I've never used them. > Use public key fingerprints or > GSSAPI (especially if you already use kerberos) if you are looking for > something better than username/password. Again, I'm not. I'm using username/password over TLS.
(In reply to comment #6) > Again, I'm not. I'm using username/password over TLS. My apologies in that case. Somehow misunderstood.
Fixed in openssl snapshot which should become openssl-1.0.1: --- openssl-1.0.0-stable-SNAP-20100407/ssl/ssl_algs.c 2010-01-19 20:03:58.000000000 +0000 +++ openssl-1.0.0-stable-SNAP-20100408/ssl/ssl_algs.c 2010-04-07 14:02:24.000000000 +0000 @@ -105,6 +105,14 @@ EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); #endif +#ifndef OPENSSL_NO_SHA256 + EVP_add_digest(EVP_sha224()); + EVP_add_digest(EVP_sha256()); +#endif +#ifndef OPENSSL_NO_SHA512 + EVP_add_digest(EVP_sha384()); + EVP_add_digest(EVP_sha512()); +#endif #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA) EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
Can you please check with dev-libs/openssl-1.0.0a which includes the above patch? Thank you.
(In reply to comment #9) > Can you please check with dev-libs/openssl-1.0.0a which includes the above > patch? That seems to work.
This bug is now invalid for both stable and ~arch openssl?
closing. not applicable anymore.