postfix & TLS1.3 problems

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

postfix & TLS1.3 problems

A. Schulze

Hello,

today I noticed a significant amount of TLS failures in my postfix log.

Oct 11 17:43:35 mta postfix/smtpd[23847]: SSL_accept error from  
client.example[192.0.2.25]:34152: -1

I traced some sessions and found the problematic client is announcing  
the special cipher "TLS_FALLBACK_SCSV"
in a TLSv1.2 ClientHello message. Now, as my server support TLSv1.3,  
my SSL library (openssl-1.1.1) assume a downgrade attack an close the  
connection with an SSL error message "inappropriate fallback"

The core issue is a client with a nonconforming TLS implementation.

To circumvent the problem I tried to disable TLS1.3 on my server by setting
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1.3

But that does not help.
The Client still fail an deliver the message by falling back to plain text :-/

The only option to force encrypted traffic again would be a library  
downgrade on my side.
Any other suggestions?

Andreas



Reply | Threaded
Open this post in threaded view
|

Re: postfix & TLS1.3 problems

Viktor Dukhovni
On Thu, Oct 11, 2018 at 05:54:59PM +0200, A. Schulze wrote:

> today I noticed a significant amount of TLS failures in my postfix log.
>
> Oct 11 17:43:35 mta postfix/smtpd[23847]: SSL_accept error from  
> client.example[192.0.2.25]:34152: -1
>
> I traced some sessions and found the problematic client is announcing  
> the special cipher "TLS_FALLBACK_SCSV"
> in a TLSv1.2 ClientHello message. Now, as my server support TLSv1.3,  
> my SSL library (openssl-1.1.1) assume a downgrade attack an close the  
> connection with an SSL error message "inappropriate fallback"
>
> The core issue is a client with a nonconforming TLS implementation.

Any idea what software these clients are running?  Are they at all
likely to fix this any time soon?

> To circumvent the problem I tried to disable TLS1.3 on my server by setting
> smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1.3
>
> But that does not help.
> The Client still fail an deliver the message by falling back to plain text :-/
>
> The only option to force encrypted traffic again would be a library  
> downgrade on my side.
> Any other suggestions?

Support for OpenSSL 1.1.1 and TLS 1.3 is on the list of fixes slated
for Postfix 3.4, and some may then be backported to patch levels
of earlier releases.

In the meantime, try:

    tls_ssl_options = 0x20000000

which corresponds to SSL_OP_NO_TLSv1_3.  I am not aware of any
method to accept the "downgrade" to TLS 1.2 without disabling TLS
1.3 for clients that do have correct implementations.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: postfix & TLS1.3 problems

Viktor Dukhovni
In reply to this post by A. Schulze
On Thu, Oct 11, 2018 at 05:54:59PM +0200, A. Schulze wrote:

> Oct 11 17:43:35 mta postfix/smtpd[23847]: SSL_accept error from  
> client.example[192.0.2.25]:34152: -1
>
> I traced some sessions and found the problematic client is announcing  
> the special cipher "TLS_FALLBACK_SCSV"
> in a TLSv1.2 ClientHello message. Now, as my server support TLSv1.3,  
> my SSL library (openssl-1.1.1) assume a downgrade attack an close the  
> connection with an SSL error message "inappropriate fallback"

PCAP files of traffic from such clients would be quite useful.
Especially, if the use of the SCSV is preceded by a failed TLS 1.3
handshake.  Is there any evidence in your logs of the client attempting
some sort of connection shortly before the TLS 1.2 + SCSV?

> The core issue is a client with a nonconforming TLS implementation.

Or a middle-box between the client and your server that makes TLS
1.3 fail, with the client then retrying with TLS 1.2 + SCSV.

Please investigate further, if at all possible.  Logs, PCAP files,
...  The PCAP files should not be too sensitive, since presumably
the traffic is still encrypted, leaving only the IP addresses and
client/server hostnames (banner and EHLO) in the clear.

You can send me any PCAP files off-list.  Since I'm also on the
OpenSSL team, insight into interoperability problems is of some
interest beyond just how to work around this in Postfix.  And
of course it would be good to have better work-arounds than
completely disabling TLS 1.3.

--
        Viktor.