[Bug 1356843] Re: ccs received early errors after openssl security update
Marc Deslauriers
marc.deslauriers at canonical.com
Fri Aug 15 19:17:14 UTC 2014
I've uploaded a package for precise-proposed for processing by the SRU
team.
** Description changed:
+ SRU request:
+
+ [Impact]
+
+ The CVE-2014-0224 update for openssl will now reject CCS messages when
+ they are received before encryption is negotiated. This has cause an
+ issue for certain sites attempting to send mail to Ubuntu 12.04 servers
+ running postfix. It turns out there is an incompatibility between
+ postfix in Ubuntu 12.04 and openssl in 12.04 that mishandles session
+ ids. This was fixed in Postfix 2.10.2, and the minimal fix is included
+ in this debdiff.
+
+ [Test Case]
+ Server A = Ubuntu 10.04 with postfix configured to forward mail, ie:
+
+ relayhost = server b's FQDN
+ smtp_tls_security_level = encrypt
+
+ Server B = Ubuntu 12.04 with postfix configured to receive mail with
+ forced tls:
+
+ smtpd_tls_security_level = encrypt
+
+ Send more than one mail from Server A to Server B, and see if the following error appears in mail.log:
+ warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146:
+
+ [Regression potential]
+ This patch disables TLS session tickets, which is what later postfix versions do. If this introduces a regression, it may cause TLS to ether fail completely, or to break when resuming sessions.
+
+
+ Original description:
+
Postfix is causing a TLS error, when relaying mails with TLS encryption:
warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146:
** Changed in: postfix (Ubuntu Precise)
Status: Confirmed => In Progress
** Changed in: postfix (Ubuntu Precise)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
** Description changed:
SRU request:
[Impact]
The CVE-2014-0224 update for openssl will now reject CCS messages when
- they are received before encryption is negotiated. This has cause an
+ they are received before encryption is negotiated. This has caused an
issue for certain sites attempting to send mail to Ubuntu 12.04 servers
running postfix. It turns out there is an incompatibility between
postfix in Ubuntu 12.04 and openssl in 12.04 that mishandles session
ids. This was fixed in Postfix 2.10.2, and the minimal fix is included
in this debdiff.
[Test Case]
Server A = Ubuntu 10.04 with postfix configured to forward mail, ie:
relayhost = server b's FQDN
smtp_tls_security_level = encrypt
Server B = Ubuntu 12.04 with postfix configured to receive mail with
forced tls:
smtpd_tls_security_level = encrypt
Send more than one mail from Server A to Server B, and see if the following error appears in mail.log:
warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146:
[Regression potential]
This patch disables TLS session tickets, which is what later postfix versions do. If this introduces a regression, it may cause TLS to ether fail completely, or to break when resuming sessions.
-
Original description:
Postfix is causing a TLS error, when relaying mails with TLS encryption:
warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146:
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to postfix in Ubuntu.
https://bugs.launchpad.net/bugs/1356843
Title:
ccs received early errors after openssl security update
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1356843/+subscriptions
More information about the Ubuntu-server-bugs
mailing list