TLS handshake failed.

NetMat · Lipiec 7, 2015

Cześć,

Czy orientuje się ktoś jak mogę sprawdzić po której stronie powstaje zerwanie połączenia? nie mogę wysłać maila do jednej osoby bo cały czas wyrzucam mi "4.7.0 TLS handshake failed."

Log z mojego serwera:

Jul 7 10:28:24 mail sendmail[2349]: t66DGAS0153130: to=<****@****.com>, ctladdr=<****@*****.net> (1059/586), delay=19:39:08, xdelay=00:00:01, mailer=esmtp, pri=8567217, relay=inbound30.exchangedefender.com. [206.125.40.143], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed.

Sprawdzanie połączenia TLS do serwera odbiorcy maila:

CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.exchangedefender.com
verify return:1
139930005202760:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3331:
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.exchangedefender.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFPDCCBCSgAwIBAgIIPztL60IhZB4wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMTUwMjI3MTQzOTM4WhcN
MTgwMzA1MTYwNjU5WjBEMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0
ZWQxHzAdBgNVBAMMFiouZXhjaGFuZ2VkZWZlbmRlci5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC61yD/K7C9/m9i0uz9rZ3xqeEYaq9OufKuJ+It
M2VQewVqzvfrkfoHArzT3U2rWLjLdKn01iVLULobxzdg0nkZX2wujcWtQhgyrbw2
irwxXNmwXN/PwJsEAx2a472AbsV7ID4ayqZ8BY53wbljOQ9kB1yeL11FQGAHQwzF
p2rX/8Dy+qaFRypSlo9IWJySVu+KFz8RKNT6xDPl6rng11WpDFtfSpog5TmZwEox
RTrSnSDyO2ZE88v5vhguhbAy+91DsVnBSsSnLMFy67UkHxqmD1cNizaR2lGmwY36
8TbjF5pPEUbJ/Nf9ludVIf0ihDKXVH8rSork27x42B/o/TYPAgMBAAGjggG/MIIB
uzAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAO
BgNVHQ8BAf8EBAMCBaAwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nb2Rh
ZGR5LmNvbS9nZGlnMnMxLTg3LmNybDBTBgNVHSAETDBKMEgGC2CGSAGG/W0BBxcB
MDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20v
cmVwb3NpdG9yeS8wdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0
ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAU
QMK9J47MNIMwojPX+2yz8LQsgM4wNwYDVR0RBDAwLoIWKi5leGNoYW5nZWRlZmVu
ZGVyLmNvbYIUZXhjaGFuZ2VkZWZlbmRlci5jb20wHQYDVR0OBBYEFN2V656Oh0Kr
ckw1MXj0eCMwyF/KMA0GCSqGSIb3DQEBCwUAA4IBAQCJ/Uc3pmAyKpI8lHxs6wO7
E6paNqTJHspVg5hPk9YJMa76VDOu63Xc7MGp78V36+kfLYdzxSAnlEp3+NyyB89b
P9qBOzfsosalrCpQOcwZiY586PEyat17ycpAcEB6GDlwbV7riKZPeB3JLJnlF7TE
Q7DDh+GSn8W62SGoE+1tOtEtGAgNohAd7aZHBf4IXkS6DRUIwGHsauojevD1rqj0
6i6B5fB2u5IK4mCTmKgvblDGK1vICerVHVGlFtw/Bs7EHjclFT4KORCv6x7ZkRw1
CoJCUplJ3Bm+Paa6hr6Lx9rSJMDV+AZUE7A04cDKkUNMyN3PPK/h75rM0Kv5iPsB
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.exchangedefender.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Server Temp Key: DH, 512 bits
---
SSL handshake has read 4551 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID: 99A1EF07A5632CF326D84097BFD8F7747DDA50EE70EC520908EDA6BE45E07F1A
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1436259673
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

Wydaje mi się że problem jest po ich stronie - nie wysyłają CA + ich klucz jest za krótki, ale chcę się upewnić.

Dla porównania jeszcze to co wyrzuca podczas połączenia ze mną:

CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3
verify return:1
depth=0 C = ********, ST = ********, L = *********, O = **********, OU = *****, CN = *.***********
verify return:1
---
Certificate chain
0 s:/C=********/ST=********/L=*********/O=**********/OU=*****/CN=*.***********
i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
GDkyAhxMd+cxXVRWQBNFIdI8I3ofXRDCk71IzmAgRZp8nDT78FYbLhZsAAtf9m7f
Z8BekSGm4quzxr2DN8TojiovLL6JccuCxoHh/+WCwOpOYVsrPUeD0jqVUV3b7CbN
WbeJ8n44dgxkPmA9LZtBbspsXQOFR0nxkY4nPRdCWUi70z4ZOTxLpbo1vGxAcJA4
L2KHkXd17c2Nx0knhPt7ezpmT3lFQmxeeLAbJ5jcXNSHgzlGJ6zOKp1jdr/Z5AbegniAxmkSS
amsWvcDo0nwzLq9qoZuZswtWqSsRQi0d69ZTuZ6Sfqt8zMHFoTfJxU5MMRtpXv8WV
L2duLnN5bWNiLmNvbS9nbi5jcmwwgZ0GA1UdIASBlTCBkjCBjwYGZ4EMAQICMIGE
MD8GCCsGAQUFBwIBFjNodHRwczovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2Vz
L3JlcG9zaXRvcnkvbGVnYWwwQQYIKwYBBQUHAgIwNQwzaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5L2xlZ2FsMB0GA1UdJQQWMBQG
yR509qWYYWAldFM7TUB164J302t5KZFHSJBcqgynxZMcVc0rALlPOEjLrAWpukoR
9OMSlUOq/Di3gyMppMgJr3lgX25U/NqqttTmgk/Nul5oMnMAhIsycemq0XQpRizd
K8m0WUC6wfBCCtcML3S1OGfxOcqov1vzi61t0KiWqJJhE1/vAgMBAAGjggGwMIIB
rDApBgNVHREEIjAggg8qLmRhdGFjZW50YS5uZXSCDWRhdGFjZW50YS5uZXQwCQYD
VR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDov
L2duLnN5bWNiLmNvbS9nbi5jcmwwgZ0GA1UdIASBlTCBkjCBjwYGZ4EMAQICMIGE
MD8GCCsGAQUFBwIBFjNodHRwczovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2Vz
L3JlcG9zaXRvcnkvbGVnYWwwQQYIKwYBBQUHAgIwNQwzaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5L2xlZ2FsMB0GA1UdJQQWMBQG
-----END CERTIFICATE-----
subject=/C=********/ST=********/L=*********/O=**********/OU=*****/CN=*.***********
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
---
Acceptable client certificate CA names
/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 4438 bytes and wr*****ten 614 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bits
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: AA3F2B9FCB645DE902327FF9257A2A1F9E150F7BBBD85B138714A7F49313DD09
Session-ID-ctx:
Master-Key: 25B26557AA06DC843C7C31946CEE17151B7FAF2AFEC1026E8653CDDBF5950ED4C4F7178C3753D80973D527C047A890D2
Key-Arg : None
Krb5 Principal: None
PSK ident*****y: None
PSK ident*****y hint: None
TLS session ticket lifetime hint: 1 (seconds)
TLS session ticket:
0000 - 09 a2 11 33 19 b8 08 6d-70 d5 69 d3 0c 53 60 6a ...3...mp.i..S`j
0010 - a8 de 7f d0 35 a5 c2 6b-30 de 9a a3 5c 35 28 2a ....5..k0...\5(*
0020 - 33 c2 6a d3 fe 81 a9 c0-13 53 93 67 19 9f 45 99 3.j......S.g..E.
0030 - 61 f3 a0 58 f3 eb 22 4c-89 ec e4 6f 7f eb c0 c8 a..X.."L...o....
0040 - 40 3a c8 b5 55 25 ab 2c-1c fd db 63 1a ea 90 60 @:..U%.,...c...`
0050 - a7 2b 96 5a a1 fa 51 11-a4 07 c4 88 d7 72 14 8c .+.Z..Q......r..
0060 - 46 06 16 42 40 2a 88 74-4e 93 e9 92 c2 ca 95 f2 F..B@*.tN.......
0070 - 06 dd 9c 38 2b 74 3f 1d-37 83 25 64 66 3e 43 9a ...8+t?.7.%df>C.
0080 - 7f de 6f cb 42 a6 57 8f-15 0b e6 e9 9f 17 4e 5c ..o.B.W.......N\
0090 - 3c 23 63 7c 71 9d 64 51-b3 9c bf 48 0a 40 a0 f1 <#c|q.dQ...H.@..

Start Time: 1436260365
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

Z góry dziękuje za pomoc.

Gigaone · Lipiec 7, 2015

Problem jest po drugiej stronie, a jest to powiązane z ostatnim czerwcowym update'em OpenSSL-a:

https://mta.openssl.org/pipermail/openssl-announce/2015-June/000032.html

OpenSSL has added protection for TLS clients by rejecting handshakeswith DH parameters shorter than 768 bits. This limit will be increasedto 1024 bits in a future release.

Zaloguj się

TLS handshake failed.

Polecane posty

NetMat 107

Udostępnij ten post

Link to postu

Udostępnij na innych stronach

Gigaone 27

Udostępnij ten post

Link to postu

Udostępnij na innych stronach

Bądź aktywny! Zaloguj się lub utwórz konto

Utwórz konto

Zaloguj się

Przeglądaj

Aktywność