2014-08-14 11:52:08 |
Tim Ritberg |
bug |
|
|
added bug |
2014-08-15 14:08:49 |
Marc Deslauriers |
attachment added |
|
problem.pcap https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1356843/+attachment/4178514/+files/problem.pcap |
|
2014-08-15 18:57:28 |
Marc Deslauriers |
affects |
openssl (Ubuntu) |
postfix (Ubuntu) |
|
2014-08-15 18:57:37 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Precise |
|
2014-08-15 18:57:37 |
Marc Deslauriers |
bug task added |
|
postfix (Ubuntu Precise) |
|
2014-08-15 18:57:44 |
Marc Deslauriers |
postfix (Ubuntu): status |
New |
Fix Released |
|
2014-08-15 18:57:47 |
Marc Deslauriers |
postfix (Ubuntu Precise): status |
New |
Confirmed |
|
2014-08-15 18:58:44 |
Marc Deslauriers |
attachment added |
|
postfix_2.9.6-1~12.04.2.debdiff https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1356843/+attachment/4178779/+files/postfix_2.9.6-1%7E12.04.2.debdiff |
|
2014-08-15 19:09:08 |
Marc Deslauriers |
summary |
ccs received early |
ccs received early errors after openssl security update |
|
2014-08-15 19:15:42 |
Marc Deslauriers |
description |
Postfix is causing a TLS error, when relaying mails with TLS encryption:
warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146: |
SRU request:
[Impact]
The CVE-2014-0224 update for openssl will now reject CCS messages when they are received before encryption is negotiated. This has cause an issue for certain sites attempting to send mail to Ubuntu 12.04 servers running postfix. It turns out there is an incompatibility between postfix in Ubuntu 12.04 and openssl in 12.04 that mishandles session ids. This was fixed in Postfix 2.10.2, and the minimal fix is included in this debdiff.
[Test Case]
Server A = Ubuntu 10.04 with postfix configured to forward mail, ie:
relayhost = server b's FQDN
smtp_tls_security_level = encrypt
Server B = Ubuntu 12.04 with postfix configured to receive mail with forced tls:
smtpd_tls_security_level = encrypt
Send more than one mail from Server A to Server B, and see if the following error appears in mail.log:
warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146:
[Regression potential]
This patch disables TLS session tickets, which is what later postfix versions do. If this introduces a regression, it may cause TLS to ether fail completely, or to break when resuming sessions.
Original description:
Postfix is causing a TLS error, when relaying mails with TLS encryption:
warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146: |
|
2014-08-15 19:15:54 |
Marc Deslauriers |
postfix (Ubuntu Precise): status |
Confirmed |
In Progress |
|
2014-08-15 19:15:57 |
Marc Deslauriers |
postfix (Ubuntu Precise): assignee |
|
Marc Deslauriers (mdeslaur) |
|
2014-08-15 19:16:05 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2014-08-15 19:16:26 |
Marc Deslauriers |
description |
SRU request:
[Impact]
The CVE-2014-0224 update for openssl will now reject CCS messages when they are received before encryption is negotiated. This has cause an issue for certain sites attempting to send mail to Ubuntu 12.04 servers running postfix. It turns out there is an incompatibility between postfix in Ubuntu 12.04 and openssl in 12.04 that mishandles session ids. This was fixed in Postfix 2.10.2, and the minimal fix is included in this debdiff.
[Test Case]
Server A = Ubuntu 10.04 with postfix configured to forward mail, ie:
relayhost = server b's FQDN
smtp_tls_security_level = encrypt
Server B = Ubuntu 12.04 with postfix configured to receive mail with forced tls:
smtpd_tls_security_level = encrypt
Send more than one mail from Server A to Server B, and see if the following error appears in mail.log:
warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146:
[Regression potential]
This patch disables TLS session tickets, which is what later postfix versions do. If this introduces a regression, it may cause TLS to ether fail completely, or to break when resuming sessions.
Original description:
Postfix is causing a TLS error, when relaying mails with TLS encryption:
warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146: |
SRU request:
[Impact]
The CVE-2014-0224 update for openssl will now reject CCS messages when they are received before encryption is negotiated. This has caused an issue for certain sites attempting to send mail to Ubuntu 12.04 servers running postfix. It turns out there is an incompatibility between postfix in Ubuntu 12.04 and openssl in 12.04 that mishandles session ids. This was fixed in Postfix 2.10.2, and the minimal fix is included in this debdiff.
[Test Case]
Server A = Ubuntu 10.04 with postfix configured to forward mail, ie:
relayhost = server b's FQDN
smtp_tls_security_level = encrypt
Server B = Ubuntu 12.04 with postfix configured to receive mail with forced tls:
smtpd_tls_security_level = encrypt
Send more than one mail from Server A to Server B, and see if the following error appears in mail.log:
warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146:
[Regression potential]
This patch disables TLS session tickets, which is what later postfix versions do. If this introduces a regression, it may cause TLS to ether fail completely, or to break when resuming sessions.
Original description:
Postfix is causing a TLS error, when relaying mails with TLS encryption:
warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146: |
|
2014-08-15 19:18:16 |
Marc Deslauriers |
bug |
|
|
added subscriber Marc Deslauriers |
2014-08-15 19:18:25 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Security Team |
2014-08-16 01:23:17 |
Scott Kitterman |
bug |
|
|
added subscriber SRU Verification |
2014-08-16 01:23:25 |
Scott Kitterman |
tags |
|
verification-needed |
|
2014-08-16 01:39:44 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/postfix |
|
2014-08-18 13:38:08 |
Scott Kitterman |
tags |
verification-needed |
verification-done |
|
2014-08-18 13:38:34 |
Scott Kitterman |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2014-08-18 13:44:12 |
Launchpad Janitor |
postfix (Ubuntu Precise): status |
In Progress |
Fix Released |
|
2014-08-18 15:37:43 |
Marc Deslauriers |
bug task added |
|
openssl (Ubuntu) |
|
2014-08-18 15:38:15 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Lucid |
|
2014-08-18 15:38:15 |
Marc Deslauriers |
bug task added |
|
openssl (Ubuntu Lucid) |
|
2014-08-18 15:38:15 |
Marc Deslauriers |
bug task added |
|
postfix (Ubuntu Lucid) |
|
2014-08-18 15:38:31 |
Marc Deslauriers |
openssl (Ubuntu Precise): status |
New |
Invalid |
|
2014-08-18 15:38:36 |
Marc Deslauriers |
openssl (Ubuntu): status |
New |
Invalid |
|
2014-08-18 15:38:41 |
Marc Deslauriers |
openssl (Ubuntu Lucid): status |
New |
Confirmed |
|
2014-08-18 15:38:43 |
Marc Deslauriers |
openssl (Ubuntu Lucid): assignee |
|
Marc Deslauriers (mdeslaur) |
|
2014-08-18 15:40:30 |
Marc Deslauriers |
postfix (Ubuntu Lucid): status |
New |
Invalid |
|
2014-08-18 18:02:00 |
Launchpad Janitor |
openssl (Ubuntu Lucid): status |
Confirmed |
Fix Released |
|
2014-08-18 18:34:51 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/lucid-security/openssl |
|
2014-11-20 17:39:12 |
krzysiek |
bug |
|
|
added subscriber krzysiek |