Date: Sun, 16 Aug 2020 11:49:52 -0700 From: Benjamin Kaduk <kaduk@mit.edu> To: Ronald Klop <ronald-lists@klop.ws> Cc: freebsd-current@freebsd.org Subject: Re: dma fails to connect (error:1408F10B:SSL routines:ssl3_get_record:wrong version number) Message-ID: <20200816184952.GZ92412@kduck.mit.edu> In-Reply-To: <op.0pf5w1askndu52@sjakie> References: <op.0pf5w1askndu52@sjakie>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Aug 16, 2020 at 04:44:51PM +0200, Ronald Klop wrote: > Hi, > > I have uname -UK -> 1300101 1300101 in my laptop. This uses libexec/dma as > mail agent. > I have 2 jails running uname -U -> 1300101 and 1300104. All dma configs > are the same. > > In all 1300101 versions dma can deliver mail to my smarthost. On 1300104 I > get: > > Aug 16 16:29:00 freebsd13_py3 dma[385ba.800e480a0][52169]: trying remote > delivery to smtp.greenhost.nl [213.108.110.112] pref 0 > Aug 16 16:29:00 freebsd13_py3 dma[385ba.800e480a0][52169]: > SSL_client_method > Aug 16 16:29:00 freebsd13_py3 dma[385ba.800e480a0][52169]: remote delivery > deferred: SSL handshake failed fatally: error:1408F10B:SSL > routines:ssl3_get_record:wrong version number > > Any thoughts on this? > bisecting this will take me hours and hours of compilation IMO bisecting is not the fastest approach. "ssl3_get_record:wrong version number" sometimes means "you tried to speak TLS to an endpoint that's doing plaintext", but if it reflects an actual TLS version mismatch, a packet capture should make it clear quite quickly. Note that openssl upstream has been gradually ratcheting the default settings towards a more-secure state, so if your peer is only using TLS 1.0/1.1, non-AEAD ciphers, etc., a local upgrade might result in a failure to communicate with the default settings. -Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200816184952.GZ92412>