Since I upgraded to glibc 2.25-r8 I have seen SSL problems on 3 different machines. First, the amd64 server started getting these kind of errors: Oct 30 23:41:38 mail kernel: Qsmtpd[15025]: segfault at 10 ip 00007fe6b816b753 sp 00007ffdc1544a08 error 4 in libcrypto.so.1.0.0[7fe6b806c000+1c1000] Rebuilding OpenSSL (1.0.2l at that time) cured it. All connections from/to the server seem to work fine, I get and send mail, no users are complainint. _But_: neither my HPPA nor my Sparc machine are able to connect anymore. Rebuilding OpenSSL did not help, neither die upgrading to 1.0.2m. The sparc machine uses check_smtp from net-analyzer/monitoring-plugins-2.2. The HPPA machine tries to deliver mail using my selfwritten SMTP daemon. Both have worked fine before. The error I can see in the logs on the HPPA machine is like this: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number AFAICT this is not related to my software: voyager ~ # openssl s_client -connect mail.sf-mail.de:25 -starttls smtp CONNECTED(00000003) depth=2 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support@cacert.org verify return:1 depth=1 O = CAcert Inc., OU = http://www.CAcert.org, CN = CAcert Class 3 Root verify return:1 depth=0 CN = mx.sf-mail.de verify return:1 4176480144:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:365: Reproducible: Always
Sparc info: Portage 2.3.8 (python 2.7.12-final-0, default/linux/sparc/13.0, gcc-5.4.0, glibc-2.25-r8, 4.13.8 sparc64) ================================================================= System Settings ================================================================= System uname: Linux-4.13.8-sparc64-sun4v-with-gentoo-2.3 KiB Mem: 33133648 total, 12235944 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Sat, 11 Nov 2017 01:15:01 +0000 Head commit of repository gentoo: 0b82fc53a1bcfb1041f9e1a0eb8654215f7e2fc6 sh bash 4.3_p48-r1 ld GNU ld (Gentoo 2.28.1 p1.0) 2.28.1 app-shells/bash: 4.3_p48-r1::gentoo dev-lang/perl: 5.24.3::gentoo dev-lang/python: 2.7.12::gentoo, 3.4.5::gentoo dev-util/cmake: 3.9.2::gentoo sys-apps/baselayout: 2.3::gentoo sys-apps/openrc: 0.32.1::gentoo sys-apps/sandbox: 2.10-r4::gentoo sys-devel/autoconf: 2.69::gentoo sys-devel/automake: 1.15-r2::gentoo sys-devel/binutils: 2.28.1::gentoo sys-devel/gcc: 3.4.6-r2::gentoo, 4.1.2::gentoo, 4.2.4-r1::gentoo, 4.3.6-r1::gentoo, 4.4.7::gentoo, 4.5.4::gentoo, 4.6.4::gentoo, 4.7.4::gentoo, 4.8.5::gentoo, 4.9.4::gentoo, 5.4.0-r3::gentoo, 6.4.0::gentoo, 7.2.0::gentoo sys-devel/gcc-config: 1.8-r1::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1::gentoo sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers) sys-libs/glibc: 2.25-r8::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.de.gentoo.org/gentoo-portage priority: -1000 dakon location: /usr/local/portage masters: gentoo priority: 100 ACCEPT_KEYWORDS="sparc" ACCEPT_LICENSE="* -@EULA" CBUILD="sparc-unknown-linux-gnu" CFLAGS="-O2 -mcpu=niagara2 -pipe" CHOST="sparc-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php7.0/ext-active/ /etc/php/cgi-php7.0/ext-active/ /etc/php/cli-php7.0/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -mcpu=niagara2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="" GENTOO_MIRRORS="ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j20" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="acl big-endian bzip2 cli cracklib crypt curl cxx dri fortran gdbm iconv ipv6 modules ncurses nptl openmp pam pcre readline session sparc ssl tcpd unicode xattr zlib" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" L10N="en de" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en de" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_4" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby21 ruby22" USERLAND="GNU" VIDEO_CARDS="fbdev glint mach64 mga r128 radeon sunbw2 suncg14 suncg3 suncg6 sunffb sunleo tdfx dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= dev-libs/openssl-1.0.2l::gentoo was built with the following: USE="asm zlib -bindist -gmp -kerberos -rfc3779 -sctp -sslv2 -sslv3 -static-libs -test -tls-heartbeat -vanilla" CFLAGS="-O2 -mcpu=niagara2 -pipe -fno-strict-aliasing -Wa,--noexecstack" CXXFLAGS="-O2 -mcpu=ultrasparc -pipe -fno-strict-aliasing -Wa,--noexecstack"
HPPA info: Portage 2.3.8 (python 2.7.12-final-0, default/linux/hppa/13.0, gcc-5.4.0, glibc-2.25-r8, 4.13.8 parisc) ================================================================= System Settings ================================================================= System uname: Linux-4.13.8-parisc-PA8600_-PCX-W+-with-gentoo-2.4.1 KiB Mem: 1031380 total, 50900 free KiB Swap: 2097148 total, 2083324 free Timestamp of repository gentoo: Sat, 11 Nov 2017 01:15:01 +0000 Head commit of repository gentoo: 0b82fc53a1bcfb1041f9e1a0eb8654215f7e2fc6 sh bash 4.3_p48-r1 ld GNU ld (Gentoo 2.28.1 p1.0) 2.28.1 app-shells/bash: 4.3_p48-r1::gentoo dev-lang/perl: 5.24.3::gentoo dev-lang/python: 2.7.12::gentoo, 3.4.5::gentoo dev-util/cmake: 3.9.1::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.4.1-r2::gentoo sys-apps/openrc: 0.32.1::gentoo sys-apps/sandbox: 2.10-r3::gentoo sys-devel/autoconf: 2.69::gentoo sys-devel/automake: 1.13.4::gentoo, 1.15-r2::gentoo sys-devel/binutils: 2.28.1::gentoo sys-devel/gcc: 4.7.4::gentoo, 4.8.5::gentoo, 5.4.0-r3::gentoo sys-devel/gcc-config: 1.8-r1::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1::gentoo sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers) sys-libs/glibc: 2.25-r8::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://castor.sf-tec.de/gentoo-portage/ priority: -1000 x-portage location: /usr/local/portage masters: gentoo priority: 0 dakon location: /var/lib/layman/dakon masters: gentoo priority: 50 ACCEPT_KEYWORDS="hppa" ACCEPT_LICENSE="* -@EULA" CBUILD="hppa2.0-unknown-linux-gnu" CFLAGS="-O2 -pipe -march=2.0" CHOST="hppa2.0-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="" GENTOO_MIRRORS="ftp://castor.sf-tec.de/ ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="acl apache2 big-endian bzip2 cli cracklib crypt curl cxx firefox foomaticdb gdbm hppa iconv imlib ipv6 libwww modules ncurses nls nptl pam pcre readline session spell ssl tcpd unicode xattr zlib" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" L10N="en de" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en de" OFFICE_IMPLEMENTATION="libreoffice" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_4" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby22" USERLAND="GNU" VIDEO_CARDS="fbdev dummy" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, MAKEOPTS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= dev-libs/openssl-1.0.2m::gentoo was built with the following: USE="asm zlib -bindist -gmp -kerberos -rfc3779 -sctp -sslv2 -sslv3 -static-libs -test -tls-heartbeat -vanilla" CFLAGS="-O2 -pipe -march=2.0 -fno-strict-aliasing -Wa,--noexecstack" CXXFLAGS="-O2 -pipe -fno-strict-aliasing -Wa,--noexecstack"
AMD64 info: root@mail:~ # emerge --info openssl Portage 2.3.8 (python 3.4.5-final-0, default/linux/amd64/13.0/no-multilib, gcc-5.4.0, glibc-2.25-r8, 4.11.6 x86_64) ================================================================= System Settings ================================================================= System uname: Linux-4.11.6-x86_64-QEMU_Virtual_CPU_version_2.0.0-with-gentoo-2.4.1 KiB Mem: 508560 total, 21764 free KiB Swap: 786428 total, 640508 free Timestamp of repository gentoo: Sat, 11 Nov 2017 01:15:01 +0000 Head commit of repository gentoo: 0b82fc53a1bcfb1041f9e1a0eb8654215f7e2fc6 sh bash 4.3_p48-r1 ld GNU ld (Gentoo 2.28.1 p1.0) 2.28.1 app-shells/bash: 4.3_p48-r1::gentoo dev-java/java-config: 2.2.0-r3::gentoo dev-lang/perl: 5.24.3::gentoo dev-lang/python: 2.7.14::gentoo, 3.4.5::gentoo, 3.5.4::gentoo dev-util/cmake: 3.9.1::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.4.1-r2::gentoo sys-apps/openrc: 0.32.1::gentoo sys-apps/sandbox: 2.10-r4::gentoo sys-devel/autoconf: 2.69::gentoo sys-devel/automake: 1.11.6-r1::gentoo, 1.15-r2::gentoo sys-devel/binutils: 2.28.1::gentoo sys-devel/gcc: 5.4.0-r3::gentoo sys-devel/gcc-config: 1.8-r1::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1::gentoo sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers) sys-libs/glibc: 2.25-r8::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://mirror.hetzner.de/gentoo/portage/ priority: -1000 dakon location: /var/lib/layman/dakon masters: gentoo priority: 50 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/qmail/alias /var/qmail/control /var/vpopmail/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php7.0/ext-active/ /etc/php/cgi-php7.0/ext-active/ /etc/php/cli-php7.0/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://mirror.hetzner.de/gentoo/" LANG="en_US.UTF-8" LC_ALL="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="acl amd64 apache2 bashbcmath bindist bzip2 bzlib calendar caps cdb cli cracklib crypt ctype curl curlwrappers cxx dba dbm dio dri encode exif fam fastcgi fontconfig foomaticdb fortran ftp gd gdbm gif gmp gpg hardened iconv icq imagemagick imap imlib ipv6 jadetex jpeg lesstif libwww maildir mcal memlimit mime mmap modules ncurses nls nocardbus nocd nptl nptlonly offensive openmp pam pcntl pcre perl pic pie png posix ppds python readline recode sasl seccomp session shared sharedmem simplexml slang slp soap sockets spell sse sse2 sse3 ssl svg sysvipc szip tcpd tidy tiff truetype unicode wddx xattr xml xml2 xmlrpc xosd xpm xsl xv zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="alias auth_basic authn_core authn_default authn_file authz_core authz_host authz_owner authz_user autoindex cache cgi dav dav_fs dav_lock deflate dir env expires ext_filter filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif socache_shmcb status unique_id vhost_alias auth_digest unixd version" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx sse sse2 sse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby22" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, MAKEOPTS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= dev-libs/openssl-1.0.2m::gentoo was built with the following: USE="asm gmp zlib -bindist -kerberos -rfc3779 -sctp -sslv2 -sslv3 -static-libs -test -tls-heartbeat -vanilla" CPU_FLAGS_X86="(sse2)" CFLAGS="-O2 -pipe -fno-strict-aliasing -Wa,--noexecstack" CXXFLAGS="-O2 -pipe -fno-strict-aliasing -Wa,--noexecstack"
What was an example of the previous glibc version? Something around 2.24?
2.23-r4 on all 3 machines.
When the connection fails I get this message at the server: error:140D108E:SSL routines:tls1_change_cipher_state:compression library error
Interestingly it works with LibreSSL 2.6.0: CONNECTED(00000003) depth=2 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support@cacert.org verify error:num=19:self signed certificate in certificate chain verify return:0
Are you using binary packages?
No, everything built with gcc 5.4.
Looks like the problem is zlib compression. I don't understand why this happened after the glibc update.
The culprint is definitely zlib/compression: castor ~ # equery u openssl [ Legend : U - final flag setting for installation] [ : I - package is installed with flag ] [ Colors : set, unset ] * Found these USE flags for dev-libs/openssl-1.0.2n: U I + + asm : Support assembly hand optimized crypto functions (i.e. faster run time) - - bindist : Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI - - gmp : Add support for dev-libs/gmp (GNU MP library) - - kerberos : Add kerberos support - - rfc3779 : Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers) - - sctp : Support for Stream Control Transmission Protocol - - sslv2 : Support for the old/insecure SSLv2 protocol -- note: not required for TLS/https + + sslv3 : Support for the old/insecure SSLv3 protocol -- note: not required for TLS/https - + static-libs : Build static versions of dynamic libraries as well - - test : Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore + + tls-heartbeat : Enable the Heartbeat Extension in TLS and DTLS - - vanilla : Do not add extra patches which change default behaviour; DO NOT USE THIS ON A GLOBAL SCALE as the severity of the meaning changes drastically + + zlib : Add support for zlib (de)compression castor ~ # openssl s_client -connect mail.sf-mail.de:25 -starttls smtp 2>&1|head depth=2 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support@cacert.org verify error:num=19:self signed certificate in certificate chain 4159394412:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:365: CONNECTED(00000003) --- Certificate chain 0 s:/CN=mx.sf-mail.de i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root 1 s:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org castor ~ # USE=-zlib emerge -1 openssl ... castor ~ # equery u openssl [ Legend : U - final flag setting for installation] [ : I - package is installed with flag ] [ Colors : set, unset ] * Found these USE flags for dev-libs/openssl-1.0.2n: U I + + asm : Support assembly hand optimized crypto functions (i.e. faster run time) - - bindist : Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI - - gmp : Add support for dev-libs/gmp (GNU MP library) - - kerberos : Add kerberos support - - rfc3779 : Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers) - - sctp : Support for Stream Control Transmission Protocol - - sslv2 : Support for the old/insecure SSLv2 protocol -- note: not required for TLS/https + + sslv3 : Support for the old/insecure SSLv3 protocol -- note: not required for TLS/https - - static-libs : Build static versions of dynamic libraries as well - - test : Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore + + tls-heartbeat : Enable the Heartbeat Extension in TLS and DTLS - - vanilla : Do not add extra patches which change default behaviour; DO NOT USE THIS ON A GLOBAL SCALE as the severity of the meaning changes drastically + - zlib : Add support for zlib (de)compression castor ~ # openssl s_client -connect mail.sf-mail.de:25 -starttls smtp 2>&1|head depth=2 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support@cacert.org verify error:num=19:self signed certificate in certificate chain CONNECTED(00000003) --- Certificate chain 0 s:/CN=mx.sf-mail.de i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root 1 s:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org 2 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org After I hard disabled compression in my software on the AMD64 machine connections from other parties (e.g. Gmail) started working again. So it looks like the handshaking isn't able to properly figure out if compression should be used _OR_ compression is negotiated, but broken afterwards.
I can confirm the > 140194193445952:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:365: message when trying to connect via openssl[zlib] to mail.sf-mail.de:25 via starttls. testssl.sh (net-analyzer/testssl-2.9.5) also says > Fatal error: /opt/testssl/openssl.Linux.x86_64 couldn't establish STARTTLS via smtp to 78.47.74.12:25 Is mail.sf-mail.de your host? At the moment I think this is a problem caused by mail.sf-mail.de.
Yes, this is my host and my software. Source code can be found on GitHub, the most relevant parts are https://github.com/DerDakon/Qsmtp/blob/master/qsmtpd/starttls.c and https://github.com/DerDakon/Qsmtp/blob/master/lib/tls.c. As I said, this all worked flawlessly before the upgrades.
To recap: Your server application (=your qmail-based mailserver) is failing SSL handshake when a client is trying to utilize compression with > 454 4.3.0 TLS connection failed: error:140D108E:SSL routines:tls1_change_cipher_state:compression library error Clients will see > error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number (this is a generic failure message for failed handshakes) The system's architecture running the server application showing the "compression library error" is amd64? You have already rebuilt sys-libs/zlib, dev-libs/openssl and your server application in this specific order _after_ you have upgraded to recent glibc? While it is recommended to disable compression in TLS at all (see CRIME and BREACH attack) could you please run another _known_ service from Gentoo repository using the same crypto engine? I'd like to know if other applications offering TLS will fail the same when trying to utilize compression or not. Then we would know at least if this is general problem or an application specific problem.
I have rebuild the 3 packages in the given order, which did not change anything. My currently live code has SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION); while the repo version does not have the last flag. With the flag set it works, without things break. I also run an apache on the same machine (https://opensource.sf-tec.de).
(In reply to Rolf Eike Beer from comment #15) > I have rebuild the 3 packages in the given order, which did not change > anything. My currently live code has > > SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | > SSL_OP_NO_COMPRESSION); > > while the repo version does not have the last flag. With the flag set it > works, without things break. > > I also run an apache on the same machine (https://opensource.sf-tec.de). Well, looks like you have now disabled TLS compression support (which is good and highly recommended!). However, this is now hiding the problem... so we still don't know if there's a problem in your mail server software or something wrong with zlib, openssl... ;)
I started an unmodified version on 78.47.74.12 port 9988.
(In reply to Rolf Eike Beer from comment #17) > I started an unmodified version on 78.47.74.12 port 9988. No, you are running your own mail server software on that port. We wanted to test if other software, preferable something found in Gentoo repository like Apache, is showing the same problem when using the same OpenSSL engine.
Sure I do, an unmodified version, i.e. one that still has the connection problems. The apache is still where it always have been.
Not completely sure if this is the same bug, but it sure is the best match from all existing bugs. After yesterday updating to glibc-2.25-r11 (now stable), I found myself unable to use my SSH key which is protected by a passphrase. After I typed the passphrase, ssh would just say "Authentication failed" and drop me right back to the parent shell. There was nothing related to this event in /var/log/auth.log. Laugh if you must, but this is my only key which has a passphrase; since other keys continued to work, I can't really pin the blame on the passphrase with full certainty. I think it is also my only ECDSA key, for instance. After I today recompiled openssl-1.0.2n and (maybe overkill) openssh-7.5_p1-r4, things returned to full working state. Here are my USEs for the packages involved: ~$ equery u sys-libs/glibc dev-libs/openssl net-misc/openssh [ Legend : U - final flag setting for installation] [ : I - package is installed with flag ] [ Colors : set, unset ] * Found these USE flags for sys-libs/glibc-2.25-r11: U I - - audit : Enable support for Linux audit subsystem using sys-process/audit + + caps : Use Linux capabilities library to control privilege - - debug : When USE=hardened, allow fortify/stack violations to dump core (SIGABRT) and not kill self (SIGKILL) - - gd : build memusage and memusagestat tools - - headers-only : Install only C headers instead of whole package. Mainly used by sys-devel/crossdev for toolchain bootstrap. - - nscd : Build, and enable support for, the Name Service Cache Daemon - - profile : Add support for software performance analysis (will likely vary from ebuild to ebuild) + + rpc : Enable obsolete RPC/NIS layers - - suid : Make internal pt_chown helper setuid -- not needed if using Linux and have /dev/pts mounted with gid=5 - - systemtap : enable systemtap static probe points * Found these USE flags for dev-libs/openssl-1.0.2n: U I - - abi_x86_32 : 32-bit (x86) libraries - - asm : Support assembly hand optimized crypto functions (i.e. faster run time) - - bindist : Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI - - gmp : Add support for dev-libs/gmp (GNU MP library) - - kerberos : Add kerberos support - - rfc3779 : Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers) - - sctp : Support for Stream Control Transmission Protocol - - sslv2 : Support for the old/insecure SSLv2 protocol -- note: not required for TLS/https - - sslv3 : Support for the old/insecure SSLv3 protocol -- note: not required for TLS/https - - static-libs : Build static versions of dynamic libraries as well - - test : Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore + + tls-heartbeat : Enable the Heartbeat Extension in TLS and DTLS - - vanilla : Do not add extra patches which change default behaviour; DO NOT USE THIS ON A GLOBAL SCALE as the severity of the meaning changes drastically + + zlib : Add support for zlib (de)compression * Found these USE flags for net-misc/openssh-7.5_p1-r4: U I + + X : Add support for X11 - - X509 : Adds support for X.509 certificate authentication - - audit : Enable support for Linux audit subsystem using sys-process/audit - - bindist : Disable EC/RC5 algorithms in OpenSSL for patent reasons. - - debug : Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces + + hpn : Enable high performance ssh - - kerberos : Add kerberos support - - ldap : Add support for storing SSH public keys in LDAP - - ldns : Use LDNS for DNSSEC/SSHFP validation. - - libedit : Use the libedit library (replacement for readline) - - libressl : Use dev-libs/libressl instead of dev-libs/openssl as SSL/TLS provider (ineffective with USE=-ssl), packages should not depend on this USE flag - - livecd : Enable root password logins for live-cd environment. + + pam : Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip + + pie : Build programs as Position Independent Executables (a security hardening technique) - - sctp : Support for Stream Control Transmission Protocol - - skey : Enable S/Key (Single use password) authentication support - - ssh1 : Support the legacy/weak SSH1 protocol + + ssl : Enable additional crypto algorithms via OpenSSL - - static : !!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically - - test : Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore
Closing this as obsolete since already 2.26 is stable.
