Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"Imitation is the sincerest form of television." -- The New Mighty Mouse


computers / comp.mail.pine / Re: ssl negotiation failed for smtp with alpine 2.22 and 2.25

SubjectAuthor
* ssl negotiation failed for smtp with alpine 2.22 and 2.25jpj
+- Re: ssl negotiation failed for smtp with alpine 2.22 and 2.25Eduardo Chappa
`* Re: ssl negotiation failed for smtp with alpine 2.22 and 2.25Eduardo Chappa
 `* Re: ssl negotiation failed for smtp with alpine 2.22 and 2.25jpj
  `- Re: ssl negotiation failed for smtp with alpine 2.22 and 2.25Eduardo Chappa

1
ssl negotiation failed for smtp with alpine 2.22 and 2.25

<533cbd78-d0a6-40ce-83a1-8215d158c8b5n@googlegroups.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=239&group=comp.mail.pine#239

 copy link   Newsgroups: comp.mail.pine
X-Received: by 2002:ac8:5dd2:: with SMTP id e18mr34951708qtx.267.1636217850141;
Sat, 06 Nov 2021 09:57:30 -0700 (PDT)
X-Received: by 2002:a25:8382:: with SMTP id t2mr52934720ybk.273.1636217849898;
Sat, 06 Nov 2021 09:57:29 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mail.pine
Date: Sat, 6 Nov 2021 09:57:29 -0700 (PDT)
Injection-Info: google-groups.googlegroups.com; posting-host=173.175.92.197; posting-account=Y10UuwoAAABcNokCyP3rxPzU6sCQOYRc
NNTP-Posting-Host: 173.175.92.197
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <533cbd78-d0a6-40ce-83a1-8215d158c8b5n@googlegroups.com>
Subject: ssl negotiation failed for smtp with alpine 2.22 and 2.25
From: joi...@g.clemson.edu (jpj)
Injection-Date: Sat, 06 Nov 2021 16:57:30 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
 by: jpj - Sat, 6 Nov 2021 16:57 UTC

I can successfully send messages via SMTP/SSL with Alpine 2.22 on a an Ubuntu 10.04 system with OpenSSL 1.1.1d. The SMTP Server is set to:

my-smtp-host:465/ssl/novalidate-cert/user=my-user-name.

When I use the same .pinerc, or configure a new .pinerc with the same settings, on a newer system (Ubuntu 20.04/OpenSSL 1.1.1f), with either Alpine 2.25 or Alpine 2.22, sending fails with "SSL negotiation failed". Debug information in the Alpine journal shows only:

IMAP 11:39:56 11/6 mm_log babble: Trying IP address [my-smtp-ip]
sslfailure: host=my-smtp-host reason=SSL negotiation failed

Connections to the host from the newer system with OpenSSL s_client all succeed:
$ openssl s_client -starttls smtp -tls1_2 -connect my-smtp-host:465
CONNECTED(00000003)
$ openssl s_client -starttls smtp -tls1_1 -connect my-smtp-host:465
CONNECTED(00000003)
$ openssl s_client -starttls smtp -tls1 -connect my-smtp-host:465
CONNECTED(00000003)

The SMTP host does not support Verbose SMTP posting, so I don't know how to gather more information.

Any ideas?

Re: ssl negotiation failed for smtp with alpine 2.22 and 2.25

<5a0af69b-c455-b031-c32a-68ffe5710e86@washington.edu>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=240&group=comp.mail.pine#240

 copy link   Newsgroups: comp.mail.pine
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: cha...@washington.edu (Eduardo Chappa)
Newsgroups: comp.mail.pine
Subject: Re: ssl negotiation failed for smtp with alpine 2.22 and 2.25
Date: Sun, 7 Nov 2021 09:20:14 -0700
Organization: A noiseless patient Spider
Lines: 58
Message-ID: <5a0af69b-c455-b031-c32a-68ffe5710e86@washington.edu>
References: <533cbd78-d0a6-40ce-83a1-8215d158c8b5n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Injection-Info: reader02.eternal-september.org; posting-host="63b5277641a4733038f7beaf71ac2030";
logging-data="9187"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18XqA4hEZQqVYOTmxgb1aDj"
Cancel-Lock: sha1:Pq1VLo401DelUxAEph0zlO7bNo8=
In-Reply-To: <533cbd78-d0a6-40ce-83a1-8215d158c8b5n@googlegroups.com>
 by: Eduardo Chappa - Sun, 7 Nov 2021 16:20 UTC

On Sat, 6 Nov 2021, jpj wrote:

> I can successfully send messages via SMTP/SSL with Alpine 2.22 on
> a an Ubuntu 10.04 system with OpenSSL 1.1.1d. The SMTP Server is set
> to:
>
> my-smtp-host:465/ssl/novalidate-cert/user=my-user-name.

Dear Jpj,

I understand you want to protect information for whatever good reasons
you might have, but not telling us the exact server will not help us help
you. If you could, at least send me an email with the name of the server,
so I can try to rule out Alpine from this, or fix Alpine.

> When I use the same .pinerc, or configure a new .pinerc with the
> same settings, on a newer system (Ubuntu 20.04/OpenSSL 1.1.1f), with
> either Alpine 2.25 or Alpine 2.22, sending fails with "SSL negotiation
> failed". Debug information in the Alpine journal shows only:
>
> IMAP 11:39:56 11/6 mm_log babble: Trying IP address [my-smtp-ip]
> sslfailure: host=my-smtp-host reason=SSL negotiation failed
>
>
> Connections to the host from the newer system with OpenSSL s_client all succeed:
> $ openssl s_client -starttls smtp -tls1_2 -connect my-smtp-host:465
> CONNECTED(00000003)
> $ openssl s_client -starttls smtp -tls1_1 -connect my-smtp-host:465
> CONNECTED(00000003)
> $ openssl s_client -starttls smtp -tls1 -connect my-smtp-host:465
> CONNECTED(00000003)

To me this sounds like an openssl configuration issue. There is an
openssl.cnf file in your machine, so take a look into that. (I think they
put it in /etc). There is also a variable

encryption-protocol-range

in your .pinerc that you might want to check which value it has. Also
running "alpine -v" in the 2.25 binary might give relevant information.

> The SMTP host does not support Verbose SMTP posting, so I don't
> know how to gather more information.

The verbose information that Alpine collects is a record of its
conversation with the server. Since you have not connected to the server
there is no log to read, and it is not relevant for this problem anyway.

Other than what I have said here, I do not think there is anything else
that I can say. If you want us to help you, give us more information.
Otherwise, I wish you can solve this issue quickly.

Thank you.

--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)

Re: ssl negotiation failed for smtp with alpine 2.22 and 2.25

<983158bc-d36b-9f9a-4833-6555ab049d09@washington.edu>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=241&group=comp.mail.pine#241

 copy link   Newsgroups: comp.mail.pine
Path: i2pn2.org!i2pn.org!paganini.bofh.team!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: cha...@washington.edu (Eduardo Chappa)
Newsgroups: comp.mail.pine
Subject: Re: ssl negotiation failed for smtp with alpine 2.22 and 2.25
Date: Sun, 7 Nov 2021 09:38:20 -0700
Organization: A noiseless patient Spider
Lines: 31
Message-ID: <983158bc-d36b-9f9a-4833-6555ab049d09@washington.edu>
References: <533cbd78-d0a6-40ce-83a1-8215d158c8b5n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Injection-Info: reader02.eternal-september.org; posting-host="63b5277641a4733038f7beaf71ac2030";
logging-data="29316"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/2BPcdUUlcWiVpDkcFMk1d"
Cancel-Lock: sha1:sHZ3vxOIyIowZCEXeW4rGB0mtuk=
In-Reply-To: <533cbd78-d0a6-40ce-83a1-8215d158c8b5n@googlegroups.com>
 by: Eduardo Chappa - Sun, 7 Nov 2021 16:38 UTC

On Sat, 6 Nov 2021, jpj wrote:

> I can successfully send messages via SMTP/SSL with Alpine 2.22 on
> a an Ubuntu 10.04 system with OpenSSL 1.1.1d. The SMTP Server is set
> to:
>
> my-smtp-host:465/ssl/novalidate-cert/user=my-user-name.
> [...]
> Connections to the host from the newer system with OpenSSL s_client all succeed:
> $ openssl s_client -starttls smtp -tls1_2 -connect my-smtp-host:465
> CONNECTED(00000003)

Dear Jpj,

here is one more relevant piece of information. The configuration

my-smtp-host:465/ssl/novalidate-cert/user=my-user-name.

cannot be tested with the openssl command

$ openssl s_client -starttls smtp -tls1_2 -connect my-smtp-host:465

you should remove the "-starttls smtp" part if you want to test it, but
then if you want to preserve "-starttls smtp" in the command you should
change the port to 587. I suspect openssl will still connect, but again,
without real information it is not possible to help you. Good luck.

--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)

Re: ssl negotiation failed for smtp with alpine 2.22 and 2.25

<5dea5eef-6995-49c9-be56-e81cdf3c5658n@googlegroups.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=256&group=comp.mail.pine#256

 copy link   Newsgroups: comp.mail.pine
X-Received: by 2002:a37:b5c3:: with SMTP id e186mr23085366qkf.747.1638058195303;
Sat, 27 Nov 2021 16:09:55 -0800 (PST)
X-Received: by 2002:a25:b7d3:: with SMTP id u19mr24653507ybj.158.1638058195120;
Sat, 27 Nov 2021 16:09:55 -0800 (PST)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mail.pine
Date: Sat, 27 Nov 2021 16:09:54 -0800 (PST)
In-Reply-To: <983158bc-d36b-9f9a-4833-6555ab049d09@washington.edu>
Injection-Info: google-groups.googlegroups.com; posting-host=173.175.92.197; posting-account=Y10UuwoAAABcNokCyP3rxPzU6sCQOYRc
NNTP-Posting-Host: 173.175.92.197
References: <533cbd78-d0a6-40ce-83a1-8215d158c8b5n@googlegroups.com> <983158bc-d36b-9f9a-4833-6555ab049d09@washington.edu>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <5dea5eef-6995-49c9-be56-e81cdf3c5658n@googlegroups.com>
Subject: Re: ssl negotiation failed for smtp with alpine 2.22 and 2.25
From: joi...@g.clemson.edu (jpj)
Injection-Date: Sun, 28 Nov 2021 00:09:55 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 19
 by: jpj - Sun, 28 Nov 2021 00:09 UTC

Eduardo,

Thanks for pointing me in the right direction. It seems the DH key on the SMTP server is small, and newer versions of OpenSSL do not allow connections to it. I'm trying to get the sysadmins to fix it, but in the meantime, I've had to find another SMTP server.

The relevant information in the s_client tests is "dh key too small" in:
140712169444672:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2149

From the headers of a message sent via the older OpenSSL system, it looks like the key is 256 bits:
version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256

Newer OpenSSL versions seem to require >= 2048 bits.

JPJ

Re: ssl negotiation failed for smtp with alpine 2.22 and 2.25

<ff1d8f53-5527-6e67-1a31-5cd0b158f569@washington.edu>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=257&group=comp.mail.pine#257

 copy link   Newsgroups: comp.mail.pine
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: cha...@washington.edu (Eduardo Chappa)
Newsgroups: comp.mail.pine
Subject: Re: ssl negotiation failed for smtp with alpine 2.22 and 2.25
Date: Sat, 27 Nov 2021 19:28:36 -0700
Organization: A noiseless patient Spider
Lines: 24
Message-ID: <ff1d8f53-5527-6e67-1a31-5cd0b158f569@washington.edu>
References: <533cbd78-d0a6-40ce-83a1-8215d158c8b5n@googlegroups.com> <983158bc-d36b-9f9a-4833-6555ab049d09@washington.edu> <5dea5eef-6995-49c9-be56-e81cdf3c5658n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Injection-Info: reader02.eternal-september.org; posting-host="eb95791303a702a0636baefd8b9bae23";
logging-data="16485"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/RrUym+RA07qOz4z2vSN0R"
Cancel-Lock: sha1:D2NnZ0EDRmySJdKCVG22nDZLFKE=
In-Reply-To: <5dea5eef-6995-49c9-be56-e81cdf3c5658n@googlegroups.com>
 by: Eduardo Chappa - Sun, 28 Nov 2021 02:28 UTC

On Sat, 27 Nov 2021, jpj wrote:

> Eduardo,
>
> Thanks for pointing me in the right direction. It seems the DH
> key on the SMTP server is small, and newer versions of OpenSSL do not
> allow connections to it. I'm trying to get the sysadmins to fix it, but
> in the meantime, I've had to find another SMTP server.

Dear jpj,

There is a chance that you can just edit your openssl.cnf file. In
debian we had this discussion some time ago (ended by silence from Debian)
Take a look at this thread in case it is relevant to you.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959481

Chances are you can change this through a configuration option until your
system administrators fix their server.

--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor