Friday, June 07, 2019

Re: SSL_ERROR_DECODE_ERROR_ALERT in Fedora 30 Firefox when connecting to some OpenBSD servers

On 2019-06-06, kasak <kasak@kasakoff.net> wrote:
>
> Excuse me, can this issue also break dovecot and latest thunderbird?
> With the latest thunderbird 60.7.0 (on fedora) my dovecot (and
> opensmtpd) suddenly refuse to log me in.
> Dovecot shows something like this in logs:
>
> TLS handshaking: SSL_accept() failed: error:140270E3:SSL
> routines:ACCEPT_SR_CLNT_HELLO_C:parse tlsext

Yes I am pretty much certain this has the same cause.

Fixes:

- move the server to current where this has been fixed already

- the fix has been committed to -stable today so you can update libssl
from there; if you already have a checkout you can do this

cd /usr/src/lib/libssl
cvs up -r OPENBSD_6_5 -Pd
make obj
make
make install

(and restart the relevant services)

- an errata/syspatch is planned for this issue; should show up in the
next few days (possibly Monday)

- update crypto-policies from the Fedora testing repository, see links
in comments 10/11 on https://bugzilla.redhat.com/show_bug.cgi?id=1713777


> I found workarond for this, by switching from "STARTTLS" to SLL/TLS for
> imap. But OpenSMTPD still not working.
> As I said, this behavior appeared in latest thunderbird 60.7.0. Older
> versions of thunderbird work.

btw, where possible it's usually a good idea to use a port which just
uses plain TLS rather than starting as text and switching with STARTTLS,
this avoids the risk of a cleartext connection being intercepted and
modified to disable the STARTTLS. (of course if a client is configured
to never send cleartext credentials then it doesn't matter, but that's
not always done)

No comments:

Post a Comment