Stunnel and smtp.verizon.net:465

Moderator: cah

Post Reply
cah
General of the Army / Fleet Admiral / General of the Air Force
General of the Army / Fleet Admiral / General of the Air Force
Posts: 1342
Joined: Sun Aug 17, 2008 5:05 am

Stunnel and smtp.verizon.net:465

Post by cah »

Starting around 02/25/2015 02:03:21, Verizon's mail server (smtp.verizon.net:465) started having SSL connection failures:

Code: Select all

2015.02.25 02:03:21 LOG3[691:36]: SSL_connect: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
I checked online and found testing methods:

1. With SSLv3:

Code: Select all

%openssl s_client -connect smtp.verizon.net:465 -ssl3
CONNECTED(00000004)
18446741324916968248:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
18446741324916968248:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1424995027
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
2. With TLS:

Code: Select all

%openssl s_client -connect smtp.verizon.net:465 -tls1
CONNECTED(00000004)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Texas/L=Irving/O=Verizon Data Services LLC/OU=SLB Mail/CN=smtp.verizon.net
   i:/O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
 1 s:/O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
 2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEPjCCAyagAwIBAgIOAQAAAAABQDsV1Yc0Xq8wDQYJKoZIhvcNAQEFBQAwRjEX
MBUGA1UEChMOQ3liZXJ0cnVzdCBJbmMxKzApBgNVBAMTIkN5YmVydHJ1c3QgUHVi
bGljIFN1cmVTZXJ2ZXIgU1YgQ0EwHhcNMTMwODAxMTgyNTQ5WhcNMTUwODMxMDIw
ODA0WjCBgDELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMQ8wDQYDVQQHEwZJ
cnZpbmcxIjAgBgNVBAoTGVZlcml6b24gRGF0YSBTZXJ2aWNlcyBMTEMxETAPBgNV
BAsTCFNMQiBNYWlsMRkwFwYDVQQDExBzbXRwLnZlcml6b24ubmV0MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6VDU0XM5Cm4f7sOLhvFbBR54rRXteNVl
E9DCkyxmytbmqIpdDFq1CSD49odgI4ZlHlPGBDVm4Pt4JxLDcG6RjT1lwW4q2yNg
42KoVDCjuc0eRJnB3oMOE1m5/N+f3oLw0qvDAmKcxVapStGguBu+00AyBE6KXG8v
1m1y4CnvQEeQXDG5lfUJpuNOdNbceu+hkPhOYVojJj70oeY/iFhoEfahLZN9nETu
v8YUHIWGJmhYhoeb7EwQQD+W6LLvK6LkKO3qN971z5E1yZCRRVZsZHfA8C7anM81
JnZjSwFT+GDuIV8SRxzdIOVO60HZas4t7YUQkB88hlHgeTX83P4n8QIDAQABo4Hu
MIHrMB8GA1UdIwQYMBaAFASYYN+AG5ZJXWVWLaUsCSQK7Ny5MD8GA1UdHwQ4MDYw
NKAyoDCGLmh0dHA6Ly9jcmwub21uaXJvb3QuY29tL1B1YmxpY1N1cmVTZXJ2ZXJT
Vi5jcmwwHQYDVR0OBBYEFB2x6XvzIPb+eOSdOqNvhaYxhwz5MAkGA1UdEwQCMAAw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAR
BglghkgBhvhCAQEEBAMCBsAwGwYDVR0RBBQwEoIQc210cC52ZXJpem9uLm5ldDAN
BgkqhkiG9w0BAQUFAAOCAQEANxQa0fVGGNBUmCYpvOZIXLRqBpGu429tO0FE1/yM
nsFa6LTYc7eUV3bMFykLJdYngktEFko/tCvY3z644uCDlK2rUhxPPpl0GRc1PnwX
+frh8VaS/DmGDsh24KOn3ZFJNOyunOoESqE7TT5rlTA34k7mby1YiM7uffpl9d8c
gQh6eZ8qx5Ejdik+YXxGd1fKx3L0LKDOa8i69cNS9lxHBuHYMNnMHh6YmaTDvV+S
fEnoQWi23gRwFyEXUeLxdwmhaU5IMuCVhkhzgKcf8/KaRghvioLMyxFk11PB8V4D
aDK2v+N8318vcg0dL45Z++OC9XUpnAxJzdZk+KFZ6+niqw==
-----END CERTIFICATE-----
subject=/C=US/ST=Texas/L=Irving/O=Verizon Data Services LLC/OU=SLB Mail/CN=smtp.verizon.net
issuer=/O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
---
No client certificate CA names sent
---
SSL handshake has read 3734 bytes and written 425 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 47AED003004F71A57D86DF654524398ED69F1E566EEDC1EEDD544485CAF8C701
    Session-ID-ctx: 
    Master-Key: 944609C9ACB3D524BC44289408D855DD6E240A5D6FA66156FFF8916C7C6FAA1C98633273EEA929761DDD9AB9404849DA
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1424995104
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
220 vms173025pub.verizon.net -- Server ESMTP (Oracle Communications Messaging Server 7.0.5.32.0 64bit (built Jul 16 2014))
It is waiting for mail commands!

Apparently, Verizon switched from SSLv3 to TLS on 02/24/2015 midnight (EST).

I read it online (https://www.stunnel.org/pipermail/stunn ... 03876.html) saying adding "protocol = smtp" will work. I checked on stunnel man page (http://www.stunnel.org/static/stunnel.html) and it has the following:

Code: Select all

protocol = PROTO

    application protocol to negotiate SSL

    This option enables initial, protocol-specific negotiation of the SSL/TLS encryption. protocol option should not be used with SSL encryption on a separate port.

    Currently supported protocols:

    cifs

        Proprietary (undocummented) extension of CIFS protocol implemented in Samba. Support for this extension was dropped in Samba 3.0.0.
    connect

        Based on RFC 2817 - Upgrading to TLS Within HTTP/1.1, section 5.2 - Requesting a Tunnel with CONNECT

        This protocol is only supported in client mode.
    imap

        Based on RFC 2595 - Using TLS with IMAP, POP3 and ACAP
    nntp

        Based on RFC 4642 - Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)

        This protocol is only supported in client mode.
    pgsql

        Based on http://www.postgresql.org/docs/8.3/static/protocol-flow.html#AEN73982
    pop3

        Based on RFC 2449 - POP3 Extension Mechanism
    proxy

        Haproxy client IP address http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
    smtp

        Based on RFC 2487 - SMTP Service Extension for Secure SMTP over TLS
    socks

        SOCKS versions 4, 4a, and 5 are supported. The SOCKS protocol itself is encapsulated within SSL/TLS encryption layer to protect the final destination address.

        http://www.openssh.com/txt/socks4.protocol

        http://www.openssh.com/txt/socks4a.protocol

        The BIND command of the SOCKS protocol is not supported. The USERID parameter is ignored.

        See Examples section for sample configuration files for VPN based on SOCKS encryption.
Looks like "protocol = smtp" does force it over TLS:

Code: Select all

    smtp
        Based on RFC 2487 - SMTP Service Extension for Secure SMTP over TLS
After adding "protocol = smtp" in /etc/stunnel/stunnel.conf and restart stunnel, telnet looked more promising. It doesn't close the connection immediately. However, mail still cannot be sent.

The error changed from:

Code: Select all

stat=Deferred: Connection reset by relay.hsiao.net
to:

Code: Select all

stat=Deferred: Connection timed out with relay.hsiao.net
after 5 minutes.

When trying "openssl s_client -connect smtp.verizon.net:465 -tls1" manually, verizon smtp.verizon.net was asking for authentication.

Code: Select all

%openssl s_client -connect smtp.verizon.net:465 -tls1
CONNECTED(00000005)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Texas/L=Irving/O=Verizon Data Services LLC/OU=SLB Mail/CN=smtp.verizon.net
   i:/O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
 1 s:/O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
 2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEPjCCAyagAwIBAgIOAQAAAAABQDsV1Yc0Xq8wDQYJKoZIhvcNAQEFBQAwRjEX
MBUGA1UEChMOQ3liZXJ0cnVzdCBJbmMxKzApBgNVBAMTIkN5YmVydHJ1c3QgUHVi
bGljIFN1cmVTZXJ2ZXIgU1YgQ0EwHhcNMTMwODAxMTgyNTQ5WhcNMTUwODMxMDIw
ODA0WjCBgDELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMQ8wDQYDVQQHEwZJ
cnZpbmcxIjAgBgNVBAoTGVZlcml6b24gRGF0YSBTZXJ2aWNlcyBMTEMxETAPBgNV
BAsTCFNMQiBNYWlsMRkwFwYDVQQDExBzbXRwLnZlcml6b24ubmV0MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6VDU0XM5Cm4f7sOLhvFbBR54rRXteNVl
E9DCkyxmytbmqIpdDFq1CSD49odgI4ZlHlPGBDVm4Pt4JxLDcG6RjT1lwW4q2yNg
42KoVDCjuc0eRJnB3oMOE1m5/N+f3oLw0qvDAmKcxVapStGguBu+00AyBE6KXG8v
1m1y4CnvQEeQXDG5lfUJpuNOdNbceu+hkPhOYVojJj70oeY/iFhoEfahLZN9nETu
v8YUHIWGJmhYhoeb7EwQQD+W6LLvK6LkKO3qN971z5E1yZCRRVZsZHfA8C7anM81
JnZjSwFT+GDuIV8SRxzdIOVO60HZas4t7YUQkB88hlHgeTX83P4n8QIDAQABo4Hu
MIHrMB8GA1UdIwQYMBaAFASYYN+AG5ZJXWVWLaUsCSQK7Ny5MD8GA1UdHwQ4MDYw
NKAyoDCGLmh0dHA6Ly9jcmwub21uaXJvb3QuY29tL1B1YmxpY1N1cmVTZXJ2ZXJT
Vi5jcmwwHQYDVR0OBBYEFB2x6XvzIPb+eOSdOqNvhaYxhwz5MAkGA1UdEwQCMAAw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAR
BglghkgBhvhCAQEEBAMCBsAwGwYDVR0RBBQwEoIQc210cC52ZXJpem9uLm5ldDAN
BgkqhkiG9w0BAQUFAAOCAQEANxQa0fVGGNBUmCYpvOZIXLRqBpGu429tO0FE1/yM
nsFa6LTYc7eUV3bMFykLJdYngktEFko/tCvY3z644uCDlK2rUhxPPpl0GRc1PnwX
+frh8VaS/DmGDsh24KOn3ZFJNOyunOoESqE7TT5rlTA34k7mby1YiM7uffpl9d8c
gQh6eZ8qx5Ejdik+YXxGd1fKx3L0LKDOa8i69cNS9lxHBuHYMNnMHh6YmaTDvV+S
fEnoQWi23gRwFyEXUeLxdwmhaU5IMuCVhkhzgKcf8/KaRghvioLMyxFk11PB8V4D
aDK2v+N8318vcg0dL45Z++OC9XUpnAxJzdZk+KFZ6+niqw==
-----END CERTIFICATE-----
subject=/C=US/ST=Texas/L=Irving/O=Verizon Data Services LLC/OU=SLB Mail/CN=smtp.verizon.net
issuer=/O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
---
No client certificate CA names sent
---
SSL handshake has read 3734 bytes and written 425 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 3F293C7519826FEDCD25E6B80A3207F0D0905773B5FDCC764B43D6B062665494
    Session-ID-ctx: 
    Master-Key: 673545268379F2A723F46673BDA8757E2A0B583838B35F0B307C35EF179DC51C3327D5C55ADC6128070C4297E320116A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1424998685
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
220 vms173019pub.verizon.net -- Server ESMTP (Oracle Communications Messaging Server 7.0.5.32.0 64bit (built Jul 16 2014))
ehlo
250-vms173019pub.verizon.net
250-8BITMIME
250-PIPELINING
250-CHUNKING
250-DSN
250-ENHANCEDSTATUSCODES
250-HELP
250-XLOOP 623074F15D5AB50692F777A60FB0071B
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=LOGIN PLAIN
250-ETRN
250-NO-SOLICITING
250 SIZE 20971520
mail from: cah@hsiao.net
550 5.7.1 Authentication Required
There's nowhere I can provide authentication.

I read some posts online and people are complaining about 550 5.7.1 from Verizon as well.
I am not sure if this is just a temporary interruption or Verizon has stopped accepting SSLv3 connection.

Waiting for more tests............
CAH, The Great
Top
cah
General of the Army / Fleet Admiral / General of the Air Force
General of the Army / Fleet Admiral / General of the Air Force
Posts: 1342
Joined: Sun Aug 17, 2008 5:05 am

Stunnel and smtp.verizon.net:465 - II

Post by cah »

Wondering how to really force stunnel to use TLSv1 to communicate with smtp.verizon.net:465.
I went back to stunnel man page and found and tried these first:

Code: Select all

protocol = proto
    application protocol to negotiate SSL

    currently supported: cifs, connect, imap, nntp, pop3, smtp, pgsql 
protocolAuthentication = auth_type
    authentication type for protocol negotiations

    currently supported: basic, NTLM

    Currently authentication type only applies to 'connect' protocol.

    default: basic 
protocolHost = host:port
    destination address for protocol negotiations 
protocolPassword = password
    password for protocol negotiations 
protocolUsername = username
    username for protocol negotiations
I then set the following in stunnel.conf:

Code: Select all

protocol = smtp
protocolAuthentication = basic
protocolHost = smtp.verizon.net:465
protocolUsername = cahtohsm
protocolPassword = c4ht0hsm
However, it didn't work.

I then found this:

Code: Select all

sslVersion = version
    select version of SSL protocol

    Allowed options: all, SSLv2, SSLv3, TLSv1
I then tried the following in stunnel.conf:

Code: Select all

sslVersion = TLSv1
Then, it worked!!!
I tried both 192.168.1.225:55555 with user credential and 192.168.1.225:25 without user credential and both worked.
The only difference is the former reacted faster than the latter one ( 1 second vs 4 seconds) and the former size is less than the latter.

Both syslog and stunnel.log show the failure at the same time:
/var/log/syslog:

Code: Select all

Feb 25 02:03:21 cahtoh02 sendmail[10017]: [ID 801593 mail.info] t1P73LKa010017: from=<cah@hsiao.net>, size=541, class=0, nrcpts=1, msgid=<54ED73B4.7090701@hsiao.net>, proto=ESMTP, daemon=Daemon0, relay=[192.168.1.3]
Feb 25 02:03:21 cahtoh02 sendmail[10017]: [ID 801593 mail.info] t1P73LKa010017: to=<morgan2277@hotmail.com>, ctladdr=<cah@hsiao.net> (1001/4), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30541, relay=relay.hsiao.net. [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection reset by relay.hsiao.net.
/var/log/stunnel.log:

Code: Select all

2015.02.25 02:03:21 LOG3[691:36]: SSL_connect: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
2015.02.25 02:03:21 LOG5[691:36]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
I am glad I found a way to work.
Verizon apparently changed its server's SSL negotiation without informing users. Perhaps, they assume users are using mail clients that will support both SSL and TLS.

Tricky!
CAH, The Great
Top
Post Reply

Return to “Technology / 科技交流”