我正在尝试使用以下命令获取邮件服务器的证书s_client
$ /opt/local/bin/openssl s_client -starttls smtp -connect corti.li:25
CONNECTED(00000003)
didn't found starttls in server response, try anyway...
140735895012360:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 307 bytes and written 343 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1493391452
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
我得到didn't found starttls in server response, try anyway...
但是在端口 25 上执行 telnet 会在支持的选项中显示 STARTTLS
$ telnet corti.li 25
Trying 2a01:4f8:c17:3bac::2...
Connected to corti.li.
Escape character is '^]'.
220 corti.li ESMTP
EHLO casa.corti.li
250-corti.li
250-PIPELINING
250-SIZE 20480000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
和
STARTTLS
220 2.0.0 Ready to start TLS
在端口 587 上一切正常。
我使用的是 postfix,两个端口的配置方式相同:
smtp inet n - n - - smtpd -o content_filter=spamassassin -o tls_preempt_cipherlist=yes
submission inet n - n - - smtpd -o content_filter=spamassassin -o tls_preempt_cipherlist=yes
在尝试连接时,我在日志中看不到任何内容。
我可以OpenSSL 1.0.2k-fips 26 Jan 2017在 Linux 上连接,但无法在 macOS 上使用相同版本 ( OpenSSL 1.0.2k 26 Jan 2017)。
有什么可能出问题的提示吗?
编辑
我刚刚发现我的提供商正在劫持连接:
/usr/bin/openssl s_client -starttls smtp -connect corti.li:25 -debug
CONNECTED(00000003)
read from 0x7fe0d3402930 [0x7fe0d3802000] (4096 bytes => 82 (0x52))
0000 - 32 32 30 20 6e 77 61 73-2e 6c 62 2e 62 6c 75 65 220 nwas.lb.blue
0010 - 77 69 6e 2e 63 68 20 76-69 6d 64 7a 6d 73 70 2d win.ch vimdzmsp-
0020 - 6e 77 61 73 30 32 2e 62-6c 75 65 77 69 6e 2e 63 nwas02.bluewin.c
0030 - 68 20 53 77 69 73 73 63-6f 6d 20 41 47 20 45 53 h Swisscom AG ES
0040 - 4d 54 50 20 73 65 72 76-65 72 20 72 65 61 64 79 MTP server ready
0050 - 0d 0a ..
write to 0x7fe0d3402930 [0x7fe0d3803000] (25 bytes => 25 (0x19))
0000 - 45 48 4c 4f 20 6f 70 65-6e 73 73 6c 2e 63 6c 69 EHLO openssl.cli
0010 - 65 6e 74 2e 6e 65 74 0d-0a ent.net..
read from 0x7fe0d3402930 [0x7fe0d3802000] (4096 bytes => 192 (0xC0))
0000 - 32 35 30 2d 6e 77 61 73-2e 6c 62 2e 62 6c 75 65 250-nwas.lb.blue
0010 - 77 69 6e 2e 63 68 20 68-65 6c 6c 6f 20 5b 36 32 win.ch hello [62
0020 - 2e 32 30 33 2e 32 33 30-2e 32 33 35 5d 2c 20 70 .203.230.235], p
0030 - 6c 65 61 73 65 64 20 74-6f 20 6d 65 65 74 20 79 leased to meet y
0040 - 6f 75 0d 0a 32 35 30 2d-41 55 54 48 20 4c 4f 47 ou..250-AUTH LOG
0050 - 49 4e 20 50 4c 41 49 4e-20 43 52 41 4d 2d 4d 44 IN PLAIN CRAM-MD
0060 - 35 20 44 49 47 45 53 54-2d 4d 44 35 0d 0a 32 35 5 DIGEST-MD5..25
0070 - 30 2d 53 49 5a 45 20 32-36 32 31 34 34 30 30 0d 0-SIZE 26214400.
0080 - 0a 32 35 30 2d 45 4e 48-41 4e 43 45 44 53 54 41 .250-ENHANCEDSTA
0090 - 54 55 53 43 4f 44 45 53-0d 0a 32 35 30 2d 50 49 TUSCODES..250-PI
00a0 - 50 45 4c 49 4e 49 4e 47-0d 0a 32 35 30 2d 38 42 PELINING..250-8B
00b0 - 49 54 4d 49 4d 45 0d 0a-32 35 30 20 4f 4b 0d 0a ITMIME..250 OK..
didn't found starttls in server response, try anyway...
write to 0x7fe0d3402930 [0x7fff5d5363b0] (10 bytes => 10 (0xA))
0000 - 53 54 41 52 54 54 4c 53-0d 0a STARTTLS..
read from 0x7fe0d3402930 [0x7fe0d4803000] (8192 bytes => 26 (0x1A))
0000 - 35 30 30 20 63 6f 6d 6d-61 6e 64 20 75 6e 72 65 500 command unre
0010 - 63 6f 67 6e 69 7a 65 64-0d 0a cognized..
write to 0x7fe0d3402930 [0x7fe0d4807000] (130 bytes => 130 (0x82))
0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00 ......W... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00 ..3..2../.......
0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00 ................
0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11 .........@......
0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00 ................
0060 - 00 ff b6 e6 d5 52 4c 9e-1f 29 1d 19 a4 8a 17 b3 .....RL..)......
0070 - cd 06 7e bf 6f 68 8c b2-1d 78 21 9d 05 a1 f5 9c ..~.oh...x!.....
0080 - 72 r
0082 - <SPACES/NULS>
read from 0x7fe0d3402930 [0x7fe0d480c600] (7 bytes => 7 (0x7))
0000 - 35 30 30 20 35 2e 35 500 5.5
78713:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/ssl/s23_clnt.c:618:
但仅限于使用 OpenSSL 时。通过 telnet,我可以访问我的机器(见上文)。
现在的问题是:为什么 OpenSSL 有所不同?
答案1
0010 - 77 ... win.ch hello [62 0020 - 2e ... .203.230.235], p
从这里你可以看到 openssl 正在与 IPv4 连接,而......
$ telnet corti.li 25 Trying 2a01:4f8:c17:3bac::2...
使用 telnet 显然您正在使用 IPv6。因此我的猜测是 ISP 正在拦截 IPv4 连接,但不会拦截 IPv6 连接。您可以通过使用 telnet 强制执行 IPv4 来检查这一点,即telnet -4 ...