Re: disable TLS 1.3 on postfix (logs enclosed)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: disable TLS 1.3 on postfix (logs enclosed)

Security Admin (NetSec)
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: setting up TLS connection from mail-wr1-f42.google.com[209.85.221.42]
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: mail-wr1-f42.google.com[209.85.221.42]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:before SSL initialization
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:before SSL initialization
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:SSLv3/TLS read client hello
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:SSLv3/TLS write server hello
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:SSLv3/TLS write change cipher spec
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:TLSv1.3 write encrypted extensions
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:SSLv3/TLS write certificate
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:TLSv1.3 write server certificate verify
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:SSLv3/TLS write finished
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:TLSv1.3 early data
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL3 alert read:fatal:illegal parameter
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:error in error
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept error from mail-wr1-f42.google.com[209.85.221.42]: -1
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: warning: TLS library problem: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:../ssl/record/rec_layer_s3.c:1528:SSL alert number 47:
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: lost connection after STARTTLS from mail-wr1-f42.google.com[209.85.221.42]
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: disconnect from mail-wr1-f42.google.com[209.85.221.42] ehlo=1 starttls=0/1 commands=1/2

´╗┐On 6/22/19, 10:31 AM, "[hidden email] on behalf of Benny Pedersen" <[hidden email] on behalf of [hidden email]> wrote:

    Security Admin (NetSec) skrev den 2019-06-22 19:15:
    > What is the correct procedure to disable TLS 1.3 negotiation on
    > postfix?
   
    why ?
   
    i am not an expert, but i think you will not get that to work well, imho
    show logs for the problem to get more help
   

Reply | Threaded
Open this post in threaded view
|

Re: disable TLS 1.3 on postfix (logs enclosed)

Benny Pedersen-2
Security Admin (NetSec) skrev den 2019-06-22 19:34:

> Jun 22 10:31:19 mailgate postfix/smtpd[7180]: warning: TLS library
> problem: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert
> illegal parameter:../ssl/record/rec_layer_s3.c:1528:SSL alert number
> 47:

this is a ssl3 disabled in openssl problem, not a tls 1.3 problem

remote needs openssl upgrade
Reply | Threaded
Open this post in threaded view
|

Re: disable TLS 1.3 on postfix (logs enclosed)

Viktor Dukhovni
On Sat, Jun 22, 2019 at 07:38:32PM +0200, Benny Pedersen wrote:

> Security Admin (NetSec) skrev den 2019-06-22 19:34:
>
> > Jun 22 10:31:19 mailgate postfix/smtpd[7180]: warning: TLS library
> > problem: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert
> > illegal parameter:../ssl/record/rec_layer_s3.c:1528:SSL alert number
> > 47:
>
> this is a ssl3 disabled in openssl problem, not a tls 1.3 problem
>
> remote needs openssl upgrade

No. Please don't just make stuff up.

--
        Viktor.