From owner-freebsd-net@FreeBSD.ORG Wed Nov 2 12:35:36 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E36E216A41F for ; Wed, 2 Nov 2005 12:35:36 +0000 (GMT) (envelope-from discussion-lists@linnet.org) Received: from thorn.pobox.com (thorn.pobox.com [208.210.124.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9119943D6E for ; Wed, 2 Nov 2005 12:35:36 +0000 (GMT) (envelope-from discussion-lists@linnet.org) Received: from thorn (localhost [127.0.0.1]) by thorn.pobox.com (Postfix) with ESMTP id 47FEF9F; Wed, 2 Nov 2005 07:19:54 -0500 (EST) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by thorn.sasl.smtp.pobox.com (Postfix) with ESMTP id 0C137F29; Wed, 2 Nov 2005 07:19:52 -0500 (EST) Received: from lists by mappit.local.linnet.org with local (Exim 4.54 (FreeBSD)) id 1EXHpx-0009Y5-Hj; Wed, 02 Nov 2005 12:35:29 +0000 Date: Wed, 2 Nov 2005 12:35:29 +0000 From: Brian Candler To: "Meka[ni]" Message-ID: <20051102123529.GA36617@uk.tiscali.com> References: <20051102093504.64edad5f@hal9000> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051102093504.64edad5f@hal9000> User-Agent: Mutt/1.4.2.1i Cc: freebsd-net@freebsd.org Subject: Re: openssl & gmail problem X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2005 12:35:37 -0000 On Wed, Nov 02, 2005 at 09:35:04AM +0100, Meka[ni] wrote: > Why doesn't this work: > openssl s_client -starttls smtp -connect smtp.gmail.com:25 > > I've tried adding -CApath /usr/local/share/ssl/certs (that's where I keep certs), but nothing changed. This is the error I get: > CONNECTED(000000003) > 17478:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567: > > openssl version > 0.9.7e > > /usr/local/bin/openssl version > 0.9.8a > > None of this works. Any ideas? Run tcpdump and/or ktrace to see what's happening. # tcpdump -i nv0 -n -s1500 -X tcp port 25 When I do this, I see: < 220 mx.gmail.com ESMTP g1sm241248nfe > STARTTLS < 503 5.5.1 EHLO/HELO first g1sm241248nfe I think that should be clear enough. Please feel free to submit a patch to the openssl project, so that it sends EHLO first. Remind them that you shouldn't try to use an ESMTP extension until you've first had it announced to you that the extension is available. (RFC 2821 section 4.1.1.1) "In any event, a client MUST issue HELO or EHLO before starting a mail transaction." Regards, Brian.