ccs received early errors after openssl security update
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Precise |
Invalid
|
Undecided
|
Unassigned | ||
postfix (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Invalid
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Marc Deslauriers |
Bug Description
SRU request:
[Impact]
The CVE-2014-0224 update for openssl will now reject CCS messages when they are received before encryption is negotiated. This has caused an issue for certain sites attempting to send mail to Ubuntu 12.04 servers running postfix. It turns out there is an incompatibility between postfix in Ubuntu 12.04 and openssl in 12.04 that mishandles session ids. This was fixed in Postfix 2.10.2, and the minimal fix is included in this debdiff.
[Test Case]
Server A = Ubuntu 10.04 with postfix configured to forward mail, ie:
relayhost = server b's FQDN
smtp_tls_
Server B = Ubuntu 12.04 with postfix configured to receive mail with forced tls:
smtpd_tls_
Send more than one mail from Server A to Server B, and see if the following error appears in mail.log:
warning: TLS library problem: 31807:error:
[Regression potential]
This patch disables TLS session tickets, which is what later postfix versions do. If this introduces a regression, it may cause TLS to ether fail completely, or to break when resuming sessions.
Original description:
Postfix is causing a TLS error, when relaying mails with TLS encryption:
warning: TLS library problem: 31807:error:
summary: |
- ccs received early + ccs received early errors after openssl security update |
So from the irc discussion:
two servers, one Ubuntu 10.04, and one Ubuntu 12.04. Both are using postfix. The 12.04 server is running postfix 2.9.6-1~12.04.1.
10.04 is running openssl 0.9.8k-7ubuntu8.20 and 12.04 is running openssl 1.0.1-4ubuntu5.17.
The 10.04 is sending mail to the 12.04 server.
The 10.04 is getting the following in the log:
TLS library problem: 25971:error: 14094085: SSL routines: SSL3_READ_ BYTES:ccs received early:s3_pkt.c:1146
The 12.04 is getting the following:
lost connection after STARTTLS