Chr*_*972 2 encryption ssl openssl postfix-mta dovecot
对于 Gentoo Linux,我有 postfix-3.8.2、dovecot-2.3.20-r1、openssl-3.0.11
AUTH LOGIN当我尝试与一位用户一起操作时,出现错误。与另一个人一起工作。
40E7638A7B7F0000:error:0A00010A:SSL routines:can_renegotiate:wrong ssl version:../openssl-3.0.11/ssl/ssl_lib.c:2304:
用户名和密码都可以,用 确认testsaslauthd -u username -p password -s smtp。AUTH PLAIN对于同一用户来说没有问题。但即使用户名或密码错误,我也不会得到这个错误,而只是一个535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
###username_coded_base64###并由###password_coded_base64###以下人员制作:
echo -ne "string" | base64
或者
perl -MMIME::Base64 -e 'print encode_base64("string")'
给出相同的结果。
$ openssl s_client -starttls smtp -crlf -connect FQDN:587
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = FQDN
verify return:1
---
Certificate chain
0 s:CN = FQDN
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 26 03:00:36 2023 GMT; NotAfter: Dec 25 03:00:35 2023 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE7TCCA9WgAwIBAgISA6GvLCEKVS9+RNvZNymTIl16MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA5MjYwMzAwMzZaFw0yMzEyMjUwMzAwMzVaMBoxGDAWBgNVBAMT
D3ZwczEubm92YXp1ci5mcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AI6DXoP11WieupLydcJiUJYwE/H5fS3+T9M0PnzW7j+7jbwVbHOh4sPxbig9/gJZ
CZWqL3f4QYGu2OXTzD6jrAmdjl17OFYgsLfDXTXgLoYrKb/95Lek+5Q2QiDoVxBx
0xeGgvd4jc3ihBtzZwTOb209yC8+00qqVho7uVZe+zDiGSybc6yBi9UuM5yeaj5Y
EptxZmvgqSC7gwl9DnNuGXfMIrRcqrsyPEV/JMkPPKnwo7umhkpXpB1QRrcJO0tf
wyrRJFm9Cp62OI/LtvtqH8MdWPyWPERwM7XdxoRiYU+VePpUxegA/0V6mT0gfr06
qiDnxSjz97buB7XqGB+6ZEECAwEAAaOCAhMwggIPMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV
HQ4EFgQUplSF4vOfLTLy6EbpKMTT6EVPsEQwHwYDVR0jBBgwFoAUFC6zF7dYVsuu
UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v
cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y
Zy8wGgYDVR0RBBMwEYIPdnBzMS5ub3ZhenVyLmZyMBMGA1UdIAQMMAowCAYGZ4EM
AQIBMIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADyAHcAtz77JN+cTbp18jnFulj0bF38
Qs96nzXEnh0JgSXttJkAAAGKz6VipwAABAMASDBGAiEA/n4OH8fL5xuIFx/hvgZ/
NjtwN/oRIQjo6QzTlniypYECIQC2l4lAdwhY2dvLfbRL9vDOCFZdUwSO0UIAJvvJ
RdHZKAB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABis+lYq4A
AAQDAEgwRgIhAOKymfv/CuzT7+jv6sA2eJOeNd5cZrCflmQgdmMm9ZWlAiEA6mWn
H6ILgIAaNspGUJdQryrEBz1w2zVsXgznZswWq1MwDQYJKoZIhvcNAQELBQADggEB
ABZERQGFaOBNaCM6ZHGN5hB/xcn/7c2d7Z9fGS+MPdoWgeVl2e1kc/pagvryxYwS
Z6FPTflBtQESgsZ5W6THJ7OOdvFvZFo0qGqfw7o5GZiplBae1kk57p4gDkzOHeVI
yqPdmtttjGHcXm4iXgyjBzD/WuHjUffEOUWEqLYXRl2X8QAosCDhgbGbkY/u9uW0
W/B5mmMNYmeV9qfKCoP+5LK0aELk5GIuXzi+u68FFPYiEALXWGoY4bBT+Pu2Xw4K
O0vqCq2Y/f+u+E7qLfei6NSkEdc4TNBefMuT2+Brwd3f+V8NcVsRs3g4nUCw6eI/
sKo/Vfqpd5Qk8SyzchJgsUY=
-----END CERTIFICATE-----
subject=CN = FQDN
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4749 bytes and written 434 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 1C5FD97F04F96D1D4CD5B1E13DC7B84FC479DDDE840C331D0B3D6464CEB93A38
Session-ID-ctx:
Resumption PSK: BD41DB00EF6DE7C29D57244C93C1FAB69B72F3CD8A45FF2319099930E97049258B21EE4AEE698A6BED856C60D309E656
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 38 1a 60 de 9d fe f2 e9-95 6f 35 d6 6a 4d 3e 8e 8.`......o5.jM>.
0010 - bb 63 d9 81 ca f8 c8 3e-b7 5f 7e 44 3c 4d 4b 74 .c.....>._~D<MKt
0020 - bd 38 94 88 4f 28 73 b9-6f 2f 34 a8 c0 ee 08 7f .8..O(s.o/4.....
0030 - 4a 87 99 a6 37 b1 c5 55-c1 90 3a 27 de 66 c8 3a J...7..U..:'.f.:
0040 - 28 db 86 3b e1 86 58 9f-63 eb 05 78 6e 91 da 11 (..;..X.c..xn...
0050 - 42 99 a6 b3 94 5d 07 89-9f ae 2c df ea 18 1f e9 B....]....,.....
0060 - 2f 17 0b 8a 42 ef 05 e0-0c 9a a6 a0 65 a7 ee 08 /...B.......e...
0070 - 68 23 9e 52 96 1c 51 f4-71 40 10 e4 54 a8 ce 4b h#.R..Q.q@..T..K
0080 - 41 a7 1e 88 46 d7 aa 81-ac b9 b9 47 76 73 c9 7e A...F......Gvs.~
0090 - 48 b0 0f 5a fb 90 5e de-22 32 89 6f 68 ac 08 7c H..Z..^."2.oh..|
00a0 - 90 dc e6 65 c2 89 38 29-87 7c 07 73 01 95 fa be ...e..8).|.s....
00b0 - ee e9 97 36 a2 5e da ec-e7 00 8a 41 03 1a 44 3e ...6.^.....A..D>
00c0 - 31 66 57 45 1c c8 4f 1d-0a a2 ec b3 7e cf 68 82 1fWE..O.....~.h.
Start Time: 1698621383
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
AUTH LOGIN
334 VXNlcm5hbWU6
###username_coded_base64###
334 UGFzc3dvcmQ6
###password_coded_base64###
RENEGOTIATING
4017FB2AFC7E0000:error:0A00010A:SSL routines:can_renegotiate:wrong ssl version:../openssl-3.0.11/ssl/ssl_lib.c:2304:
为什么要重新谈判?
\n\n当我尝试使用一个用户进行身份验证登录时,出现错误。与另一个人一起工作。...
\n
\n为什么要重新谈判?
该特定用户的 base64 编码密码可能以“R”开头。这将被 s_client 解释为发起重新协商的请求。从文档中:
\n\n\n连接命令(基本)
\n
\n...
\n当交互使用时(这意味着既没有给出 -quiet 也没有给出 -ign_eof),并且没有给出 -adv 或 -nocommands 则 \xe2\x80\x9cBasic\xe2\x80\进入 x9d 命令模式。在此模式下,某些命令被识别以执行特殊操作。这些命令是必须出现在行首的字母。该行首字母之后的所有其他数据都将被忽略。下面列出了这些命令。
\n...
\n R
\n重新协商 SSL 会话(仅限 TLSv1.2 及更低版本)。
因此,您需要添加-nocommands到命令行
$ openssl s_client -starttls smtp -nocommands -crlf -connect FQDN:587 \n| 归档时间: |
|
| 查看次数: |
171 次 |
| 最近记录: |