Re^2: STARTTLS Failure

Hi:

I have already looked at that and several others

I my have to do that as a fallback, but that ruins my "learning experience". Or perhaps that would be a better learning experience.

Thanks for suggestion

When I go through the steps using openssl, after the STARTTLS and the go ahead I send EHLO and the server sends back expected responses the I send the AUTH PLAIN and it is accepted. Perhaps openssl is doing something with negotiations in background of which I am unaware

RFC 3207 shows a typical exchange:

   S: 250-STARTTLS
   S: 250 DSN
   C: STARTTLS
   S: 220 Go ahead
   C: <starts TLS negotiation>
   C & S: <negotiate a TLS session>
   C & S: <check result of negotiation>
   C: EHLO mail.example.com
   S: 250-mail.imc.org touches your hand gently for a moment
[download]

I don't know specifically what these three example communications are: C: <starts TLS negotiation> C & S: <negotiate a TLS session> C & S: <check result of negotiation>.

Using openssl I go from S: 220 Go ahead to EHLO and it works up to the pint of a cert failure when I send the RCPT TO:

Comment on Re^2: STARTTLS Failure Download Code

Replies are listed 'Best First'.
Re^3: STARTTLS Failure by jeffenstein (Hermit) on May 04, 2018 at 14:03 UTC
Hi tultalk: I don't know specifically what these three example communications are: C: <starts TLS negotiation> C & S: <negotiate a TLS session> C & S: <check result of negotiation> This part would do a public key exchange and negotiate a private key for this session. After this step all data going to the server must be encrypted by openssl before sending, and all data coming from the server must be decrypted by openssl before it is usable The IO::Socket::SSL has an example of how to upgrade a socket from plain to SSL, assuming you are using IO::Socket::INET as the base socket. Search for "Talk Plain and SSL With The Same Socket" in the docs. I haven't looked at the code it uses, but I'm assuming that it re-blesses the socket into IO::Socket::SSL, and after that the IO::Socket::SSL module will encrypt any data you write to the socket before sending to the socket, and decrypt any data it reads from the socket before giving it to you. In the example above I didn't see any SSL modules, so I assumed you were still writing plaintext directly to the socket. If that's not the case, could you show the part that does the ssl negotiation and adds the layer to encrypt/decrypt? If you want a learning experience, Net::SSLeay directly exposes the openssl library's low-level functions to negotiate sessions, and encrypt/decrypt data. I've never used it directly myself, but I would imagine that there are some good examples in the IO::Socket::SSL sources.	[reply]

Replies are listed 'Best First'.

Re^3: STARTTLS Failure
by jeffenstein (Hermit) on May 04, 2018 at 14:03 UTC

Hi tultalk:

I don't know specifically what these three example communications are: C: <starts TLS negotiation> C & S: <negotiate a TLS session> C & S: <check result of negotiation>

This part would do a public key exchange and negotiate a private key for this session. After this step all data going to the server must be encrypted by openssl before sending, and all data coming from the server must be decrypted by openssl before it is usable

The IO::Socket::SSL has an example of how to upgrade a socket from plain to SSL, assuming you are using IO::Socket::INET as the base socket. Search for "Talk Plain and SSL With The Same Socket" in the docs. I haven't looked at the code it uses, but I'm assuming that it re-blesses the socket into IO::Socket::SSL, and after that the IO::Socket::SSL module will encrypt any data you write to the socket before sending to the socket, and decrypt any data it reads from the socket before giving it to you.

In the example above I didn't see any SSL modules, so I assumed you were still writing plaintext directly to the socket. If that's not the case, could you show the part that does the ssl negotiation and adds the layer to encrypt/decrypt?

If you want a learning experience, Net::SSLeay directly exposes the openssl library's low-level functions to negotiate sessions, and encrypt/decrypt data. I've never used it directly myself, but I would imagine that there are some good examples in the IO::Socket::SSL sources.

[reply]