I'm using ECS Fargate via a network load balancer (NLB) using TLS 1.2 to host an SMTP service that uses the standard SMTP interrupts to communicate with the client.
I'm testing the service via openssl.
This works fine both locally and both on Fargate:
$openssl s_client -connect xxx.com:443
HELO
250 OK
MAIL FROM:[email protected]
250 OK
QUIT
250 OK
However, the Fargate service works fine for all SMTP commands on NLB/Fargate except any command that starts with the character R e.g. RCPT TO:.
I get RENEGOTIATING followed by connection close, which does not happen locally.
$openssl s_client -connect mynlbhost.tampabayclosure.com:443
HELO
250 Hello
MAIL FROM:[email protected]
250 OK
RCPT TO:[email protected]
RENEGOTIATING
write:errno=54
I tried openssl s_client -connect host:port -no_renegotiation & openssl s_client -connect host:port -no_renegotiation -tls1_2 none of which worked.
What is the issue?
Either of these solutions will work:
Use TLS v1.3
Use
openssl s_client -quietto suppress the interactive interpretation ofRandQcharactersUse
rcpt to:(which you can since SMTP commands are case-insensitive according to RFC 5321)This behaviour is related to
openssl s_client:This is why you’re seeing the
RENEGOTIATINGmessage followed by a connection close when you inputRCPT TO:or any other command starting withR.Note that the position of the
Ris important - that's why you didn't get this issue when you usedMAIL FROM:even though it contains anR.This is most likely because you're not using SSL locally.