From owner-freebsd-current@freebsd.org Sun Aug 16 18:50:00 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0BAD03C380F for ; Sun, 16 Aug 2020 18:50:00 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4BV5ny39Z0z3RQj for ; Sun, 16 Aug 2020 18:49:58 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 07GInr31019718 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 16 Aug 2020 14:49:56 -0400 Date: Sun, 16 Aug 2020 11:49:52 -0700 From: Benjamin Kaduk To: Ronald Klop Cc: freebsd-current@freebsd.org Subject: Re: dma fails to connect (error:1408F10B:SSL routines:ssl3_get_record:wrong version number) Message-ID: <20200816184952.GZ92412@kduck.mit.edu> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.1 (2019-06-15) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1597603799; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=bE1e/RF3Qq7iUaXVM1WEV6gzN9JVI5su1uUSwzgdacg=; b=vOvCTYqfhCeGRbjmmtqfTLSJ7XiPBlNQPjNCP0JATmKKQDcBbKl6NM7wnkeImjzKdZ+OgN lRkcxWwSDyjoOjekmvor2J5CgbFOPBGsx4YL/NCUHr6W1nhz5C/WRBFs2UMGTOaMKpQ/V2 VX8RA8bVIFYNOM9HBdXj+dOZzFUYOW3QtzeLNq8Tx9e1th3dX8x4M1lvVD7B9Q7FnyPxgM NOQuSHrSH9CoNVzhNsoJ7T1tqwzyalKrQsfJvpq19L9JvIkpL4XlwCRM/rT+N6+Boyic4e jtpEHQPqXmZpmYGd+UQ8hqYDb5IT+yo56L2Ar2VjY62j5d0ve+1vqRk5OvD/vg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1597603799; a=rsa-sha256; cv=none; b=CYtB1ZutuZLOtRCz8jMovhocPVO3Mjqn2tZJGGqGoHX2MkkBxiHon0fupXHXyBtmHOw0GF 18kSTxReBmgvEEcG4AHhPqEsWkXyoVFGGpX7cES3hJg7rG+buvtdqHkIT4JJF6eLDcyNoM JIy40EvUg8o8cQn+gltezF/vfEOjSopb0loL/yEMmJOErHMJ4aK4c3X5MZBTfVG7TCPSP8 JS7yQv3Vtj5hvJjHV+6EmmWtnXlHfweKw7BbWi4NkwAAXsJS+EfW4bBllBEq5XZbfX5cxo N2750oB9G5Qp4pSN/kK8dLihKmzqyZro16uBR1fh8jvr6Xd0VEJ8xUrJCCrPEw== ARC-Authentication-Results: i=1; mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of kaduk@mit.edu designates 18.9.28.11 as permitted sender) smtp.mailfrom=kaduk@mit.edu X-Rspamd-Queue-Id: 4BV5ny39Z0z3RQj X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.41 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.05)[-1.051]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:18.9.28.0/24]; NEURAL_HAM_LONG(-0.99)[-0.987]; MIME_GOOD(-0.10)[text/plain]; ARC_SIGNED(0.00)[i=1]; DMARC_NA(0.00)[mit.edu]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_MED(-0.20)[18.9.28.11:from]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.88)[-0.876]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:3, ipnet:18.9.0.0/16, country:US]; RCVD_COUNT_TWO(0.00)[2]; RWL_MAILSPIKE_VERYGOOD(0.00)[18.9.28.11:from]; RECEIVED_SPAMHAUS_PBL(0.00)[24.16.140.251:received] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Aug 2020 18:50:00 -0000 On Sun, Aug 16, 2020 at 04:44:51PM +0200, Ronald Klop wrote: > Hi, > > I have uname -UK -> 1300101 1300101 in my laptop. This uses libexec/dma as > mail agent. > I have 2 jails running uname -U -> 1300101 and 1300104. All dma configs > are the same. > > In all 1300101 versions dma can deliver mail to my smarthost. On 1300104 I > get: > > Aug 16 16:29:00 freebsd13_py3 dma[385ba.800e480a0][52169]: trying remote > delivery to smtp.greenhost.nl [213.108.110.112] pref 0 > Aug 16 16:29:00 freebsd13_py3 dma[385ba.800e480a0][52169]: > SSL_client_method > Aug 16 16:29:00 freebsd13_py3 dma[385ba.800e480a0][52169]: remote delivery > deferred: SSL handshake failed fatally: error:1408F10B:SSL > routines:ssl3_get_record:wrong version number > > Any thoughts on this? > bisecting this will take me hours and hours of compilation IMO bisecting is not the fastest approach. "ssl3_get_record:wrong version number" sometimes means "you tried to speak TLS to an endpoint that's doing plaintext", but if it reflects an actual TLS version mismatch, a packet capture should make it clear quite quickly. Note that openssl upstream has been gradually ratcheting the default settings towards a more-secure state, so if your peer is only using TLS 1.0/1.1, non-AEAD ciphers, etc., a local upgrade might result in a failure to communicate with the default settings. -Ben