Re: [TLS] Request for mail testserver with TLS accepting renegotiation

"Yngve N. Pettersen" <> Wed, 27 July 2011 02:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E166811E8086 for <>; Tue, 26 Jul 2011 19:04:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.885
X-Spam-Status: No, score=-6.885 tagged_above=-999 required=5 tests=[AWL=-0.286, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WcVEcQr0ILex for <>; Tue, 26 Jul 2011 19:04:14 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B969A11E80CB for <>; Tue, 26 Jul 2011 19:04:13 -0700 (PDT)
Received: from lessa-ii.oslo.os ( []) (authenticated bits=0) by (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p6R248CT023441 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 27 Jul 2011 02:04:10 GMT
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
To: "Matt McCutchen" <>
References: <op.vy83d3iqkvaitl@lessa-ii.oslo.os> <1311725122.7071.23.camel@localhost>
Date: Wed, 27 Jul 2011 04:04:15 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen" <>
Organization: Opera Software ASA
Message-ID: <op.vy89dd02kvaitl@lessa-ii.oslo.os>
In-Reply-To: <1311725122.7071.23.camel@localhost>
User-Agent: Opera Mail/10.62 (Win32)
Subject: Re: [TLS] Request for mail testserver with TLS accepting renegotiation
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Jul 2011 02:04:15 -0000

On Wed, 27 Jul 2011 02:05:22 +0200, Matt McCutchen  
<> wrote:

> On Wed, 2011-07-27 at 01:55 +0200, Yngve N. Pettersen wrote:
>> I have recently upgraded my TLS Prober to test email servers (IMAP, POP,
>> SMTP).
>> However, I am uncertain about whether the test for testing client
>> initiated renegotiation works properly, particularly since a test of
>> 300000+ servers failed to detect a single email server that accepted it
>> (or requested it).
>> It might of course be that all email servers have this functionality
>> disabled, but for now I am assuming something is wrong about how the  
>> test
>> itself works.
>> If anyone have an email server that is configured to accept client
>> initiated renegotiation that I could test, I would appreciate it.
> Is your test in any way specific to email protocols?  If you just run
> "openssl s_server" interactively, it seems to accept all
> client-initiated renegotiation by default (at least when renegotiation
> indication is used).

I already know it works against HTTPS servers (which gives some  
problematic statistics for unpatched servers), but the tests against email  
servers follow a different pattern, since the email servers send content  
before the client send data, so there could be a difference in behavior.  
Possibilities include having to get the start line from the server before  
trying renegotiation, rather than try immediately.

While I might try configuring a OpenSSL testserver, I would prefer to test  
against the "real thing".

Yngve N. Pettersen

Senior Developer                     Email:
Opera Software ASA         
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01