False positive SSL/TLS with Postfix STARTTLS

The GVM Community edition reports a false positive on TLS1 and TLS1.1 on Postfix.

NVTs version: 20220803T1012
Greenbone Security Assistant version: 21.4.3

OpenSSL reports that TLS1.1 is not supported via

openssl s_client -connect my.mail.host:25 -starttls smtp -tls1_1
139648293254464:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:…/ssl/statem/statem_clnt.c:1112:

However

openssl s_client -connect my.mail.host:25 -starttls smtp -tls1_2

connects fine.

Hi and welcome to this community portal,

could you cross-check with a more reliable check (e.g. https://github.com/rbsec/sslscan, newer versions of that tool seems to not rely on older OpenSSL versions anymore) then openssl s_client?

I’m asking because the checks for the SSL/TLS are quite strict, have been proofed to work since so many years and all supposed false positives related to SSL/TLS topics have found to be invalid and either caused by e.g.

  • a too new OpenSSL library used by the other testing tools which didn’t supported the related protocol anymore
  • specific service misconfigurations (e.g. it still offered a deprecated protocol when accessing via the IP instead via the hostname / by using SNI)
4 Likes

Hi

Thanks for the quick reply. Yes you are right,

johan@johan ~/tmp/bort/sslscan $ ./sslscan --starttls-smtp my.mail.host:25
Version: 2.0.15-static
OpenSSL 1.1.1r-dev xx XXX xxxx

Connected to x.x.x.x

Testing SSL server my.mail.host on port 25 using SNI name my.mail.host

SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 enabled
TLSv1.1 enabled
TLSv1.2 enabled
TLSv1.3 enabled

The problem is on my postfix then. Tricky with the openssl that did not support the old protocols as a client. Thank you again for the quick and accurate reply

3 Likes