Hi all,
let me start with a bit of a background regarding the problem I am
facing. ISP started enforcing SMTP authentication recently and of
course I want to use the encrypted channel for sending my password
over the line. Mail user agent of my choice (Claws Mail) uses GnuTLS for
encrypted communication. So I thought it would be as simple as enabling
SMTP authentication and SSL but it turned out it does not work, I
always get SSL handshake failed error.
ISP's technical support stated that their server does not support TLS
1.1 nor TLS 1.2 so I thought I just need to set a correct priority
string. I am using GnuTLS versions 3.0.20 and 3.1.5 for my experiments.
I have attached the output of gnutls-cli-debug when connecting to the
server in question.
Based on the output of gnutls-cli-debug and on what their support said I
thought it would be enough to disable TLS 1.1 and TLS 1.2 but
unfortunately I still can"t connect to their server. I am using the
command line
gnutls-cli -p 465
--priority='NORMAL:%COMPAT:+VERS-SSL3.0:-VERS-TLS1.2:-VERS-TLS1.1'
--x509cafile=/etc/ssl/certs/ca-certificates.crt mail.siol.net
for testing the connection.
Relevant bit of output for GnuTLS 3.1.5:
Processed 151 CA certificate(s).
Resolving 'mail.siol.net'...
Connecting to '89.143.246.11:465'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
... (certificates info comes here)
- Status: The certificate is trusted.
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [0]: Close notify
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.
Can someone please explain what this error means ?
When I use GnuTLS 3.0.20 I get a different error:
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- The hostname in the certificate matches 'mail.siol.net'.
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
How come GnuTLS 3.1.5 conciders the same certificate as trusted but
GnuTLS 3.0.20 does not ?
I hope someone can help me resolve these connection issue.
Regards,
Darko./gnutls-cli-debug -p 465 -V mail.siol.net
Resolving 'mail.siol.net'...
Connecting to '89.143.246.11:465'...
Checking for SSL 3.0 support... yes
Checking whether %COMPAT is required... yes
Checking for TLS 1.0 support... yes
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... failed
Checking for TLS 1.2 support... no
Checking whether we need to disable TLS 1.2... yes
Checking whether we need to disable TLS 1.1... no
Checking whether we need to disable TLS 1.0... N/A
Checking for Safe renegotiation support... no
Checking for Safe renegotiation support (SCSV)... no
Checking for HTTPS server name...
Checking for version rollback bug in RSA PMS... no
Checking for version rollback bug in Client Hello... no
Checking whether the server ignores the RSA PMS version... yes
Checking whether the server can accept Hello Extensions... yes
Checking whether the server can accept HeartBeat Extension... yes
Checking whether the server can accept small records (512 bytes)... yes
Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
Checking whether the server can accept a bogus TLS record version in the client
hello... yes
Checking for certificate information...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
- subject `serialNumber=LIH-gVNwQykZH-FA2yOXZsuTJ3UziZwJ,OU=GT01526090,OU=See
www.geotrust.com/resources/cps (c)12,OU=Domain Control Validated -
QuickSSL(R),CN=mail.siol.net', issuer `C=US,O=GeoTrust Inc.,OU=Domain Validated
SSL,CN=GeoTrust DV SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated
`2012-10-02 06:22:21 UTC', expires `2013-12-03 12:51:50 UTC', SHA-1 fingerprint
`875d1ac1baf7af9cbeadee6aa9bc1fe5d37770ce'
Public Key Id:
e7df07289daa7e11a0c5d30add0f0b25be5b1082
Public key's random art:
+--[ RSA 2048]----+
| ..oo+. |
| E .oBo+ |
| +o= + |
| . .oo . |
| S oo o |
| =o + . |
| . .+ . |
| o. . .|
| .oo . .. |
+-----------------+
-----BEGIN CERTIFICATE-----
MIIFQDCCBCigAwIBAgIDBSoUMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMR0wGwYDVQQLExREb21haW4gVmFsaWRh
dGVkIFNTTDEbMBkGA1UEAxMSR2VvVHJ1c3QgRFYgU1NMIENBMB4XDTEyMTAwMjA2
MjIyMVoXDTEzMTIwMzEyNTE1MFowgbwxKTAnBgNVBAUTIExJSC1nVk53UXlrWkgt
RkEyeU9YWnN1VEozVXppWndKMRMwEQYDVQQLEwpHVDAxNTI2MDkwMTEwLwYDVQQL
EyhTZWUgd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzIChjKTEyMS8wLQYD
VQQLEyZEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQgLSBRdWlja1NTTChSKTEWMBQG
A1UEAxMNbWFpbC5zaW9sLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALo1J1o+h+B62EKn1apzqywpep/nHCCwf7I2800lBb4/ogMqrSauyIxAMlqo
E4iNnbFZnSDUyIhMOzdtI4PevUyxBgm+C0Z/o+ZAYLkdTEZ213x+r6j6O32OBl6K
tUOr9eEK5KFrGctmsgbRqlVAF75rrfsl7NrQAOzVoyE8rvuWxTnGfdWiemb5N1iH
7Z1VZOBejvGYSXerA8aFD+Xtnx8sl76Is5qbtfEqy+UPy/2BxQDn8IetENXOwj4B
XxEe6doHn498Jkq5TRv8nbCepCajZYj3zqtzaNiJJz7tZy6hjkaAmkZoJkFWrCyN
PwR9un5QY24Zqf1g67bFhqsPVtcCAwEAAaOCAaMwggGfMB8GA1UdIwQYMBaAFIz0
2ZMKR7wAoErOS3VuoLawsn78MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwGAYDVR0RBBEwD4INbWFpbC5zaW9sLm5ldDBBBgNV
HR8EOjA4MDagNKAyhjBodHRwOi8vZ3Rzc2xkdi1jcmwuZ2VvdHJ1c3QuY29tL2Ny
bHMvZ3Rzc2xkdi5jcmwwHQYDVR0OBBYEFMuduRH9k//Csl6ULcE1/7WOTN8JMAwG
A1UdEwEB/wQCMAAwdQYIKwYBBQUHAQEEaTBnMCwGCCsGAQUFBzABhiBodHRwOi8v
Z3Rzc2xkdi1vY3NwLmdlb3RydXN0LmNvbTA3BggrBgEFBQcwAoYraHR0cDovL2d0
c3NsZHYtYWlhLmdlb3RydXN0LmNvbS9ndHNzbGR2LmNydDBMBgNVHSAERTBDMEEG
CmCGSAGG+EUBBzYwMzAxBggrBgEFBQcCARYlaHR0cDovL3d3dy5nZW90cnVzdC5j
b20vcmVzb3VyY2VzL2NwczANBgkqhkiG9w0BAQUFAAOCAQEAYRBHy/ZW4+6veGH5
2CPGWM+JK3Rz3l57bsozmptkpO1a8pj9Y3vsvgAmAzeuNA2rBLio595HlD/4j8yM
Slt4pOATHEEXqcz62gcEJ7WSx5aXp2Wi34t5VtVsAESZb44SYmaC6gFwf870fuHQ
XBF636lNpwRpvRvH70E5M6MZLLrI7OdrJBOjutaX+z2GoT53q5cvIlegWjRBaD5H
4LfuvO/7XNw8fRDzjvDEyE0guNNnYF31nIYuO2hfyAD87mhO8L6mVz9c3HOcfpOW
cA/b92EAnowqY+bWFXGBVY232FHC70iu/ivenZN08exMNK25w7ik7V8RpEOkJaeo
WwpKcQ==
-----END CERTIFICATE-----
- Certificate[1] info:
- subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', issuer
`C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using
RSA-SHA1, activated `2002-05-21 04:00:00 UTC', expires `2022-05-21 04:00:00
UTC', SHA-1 fingerprint `de28f4a4ffe5b92fa3c503d1a349a7f9962a8212'
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----
- Certificate[2] info:
- subject `C=US,O=GeoTrust Inc.,OU=Domain Validated SSL,CN=GeoTrust DV SSL
CA', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits,
signed using RSA-SHA1, activated `2010-02-26 21:32:31 UTC', expires `2020-02-25
21:32:31 UTC', SHA-1 fingerprint `bae30b15dbb1544cf194d076b75b7bb9e3d6b760'
-----BEGIN CERTIFICATE-----
MIID+jCCAuKgAwIBAgIDAjbSMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjI2MjEzMjMxWhcNMjAwMjI1MjEzMjMxWjBhMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UECxMURG9tYWluIFZh
bGlkYXRlZCBTU0wxGzAZBgNVBAMTEkdlb1RydXN0IERWIFNTTCBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKa7jnrNpJxiV9RRMEJ7ixqy0ogGrTs8
KRMMMbxp+Z9alNoGuqwkBJ7O1KrESGAA+DSuoZOv3gR+zfhcIlINVlPrqZTP+3RE
60OUpJd6QFc1tqRi2tVI+Hrx7JC1Xzn+Y3JwyBKF0KUuhhNAbOtsTdJU/V8+Jh9m
cajAuIWe9fV1j9qRTonjynh0MF8VCpmnyoM6djVI0NyLGiJOhaRO+kltK3C+jgwh
w2LMpNGtFmuae8tk/426QsMmqhV4aJzs9mvIDFcN5TgH02pXA50gDkvEe4GwKhz1
SupKmEn+Als9AxSQKH6a9HjQMYRX5Uw4ekIR4vUoUQNLIBW7Ihq28BUCAwEAAaOB
2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIz02ZMKR7wAoErOS3VuoLaw
sn78MB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4ysxOMBIGA1UdEwEB/wQI
MAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j
b20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAB
hhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBADOR
NxHbQPnejLICiHevYyHBrbAN+qB4VqOC/btJXxRtyNxflNoRZnwekcW22G1PqvK/
ISh+UqKSeAhhaSH+LeyCGIT0043FiruKzF3mo7bMbq1vsw5h7onOEzRPSVX1ObuZ
lvD16lo8nBa9AlPwKg5BbuvvnvdwNs2AKnbIh+PrI7OWLOYdlF8cpOLNJDErBjgy
YWE5XIlMSB1CyWee0r9Y9/k3MbBn3Y0mNhp4GgkZPJMHcCrhfCn13mZXCxJeFu1e
vTezMGnGkqX2Gdgd+DYSuUuVlZzQzmwwpxb79k1ktl8qFJymyFWOIPllByTMOAVM
IIi0tWeUz12OYjf+xLQ=
-----END CERTIFICATE-----
- Certificate[3] info:
- subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', issuer
`C=US,O=Equifax,OU=Equifax Secure Certificate Authority', RSA key 2048 bits,
signed using RSA-SHA1, activated `2002-05-21 04:00:00 UTC', expires `2018-08-21
04:00:00 UTC', SHA-1 fingerprint `7359755c6df9a0abc3060bce369564c8ec4542a3'
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
Checking for trusted CAs...
Checking whether the server understands TLS closure alerts... yes
Checking whether the server supports session resumption... no
Checking for export-grade ciphersuite support... yes
Checking RSA-export ciphersuite info...
Exponent [24 bits]: 01:00:01
Modulus [520 bits]:
00:86:C0:C0:0C:8C:22:E8:7B:DA:10:3B:EE:35:0D:5A:8F:A9:F7:11:47:46:3C:88:D0:CF:E5:F0:9D:A7:FF:35:D2:D5:B5:64:BE:18:8A:FD:C8:35:62:BA:1B:DC:1D:79:17:FA:47:5D:17:56:EB:65:90:63:E0:FF:F0:A5:EA:5B:61
Checking for anonymous authentication support... no
Checking anonymous Diffie-Hellman group info... N/A
Checking for ephemeral Diffie-Hellman support... no
Checking ephemeral Diffie-Hellman group info... N/A
Checking for ephemeral EC Diffie-Hellman support... no
Checking ephemeral EC Diffie-Hellman group info... N/A
Checking for AES-GCM cipher support... no
Checking for AES-CBC cipher support... no
Checking for CAMELLIA cipher support... no
Checking for 3DES-CBC cipher support... yes
Checking for ARCFOUR 128 cipher support... yes
Checking for ARCFOUR 40 cipher support... yes
Checking for MD5 MAC support... yes
Checking for SHA1 MAC support... yes
Checking for SHA256 MAC support... no
Checking for ZLIB compression support... no
Checking for max record size... no
Checking for OpenPGP authentication support... no
_______________________________________________
Gnutls-help mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnutls-help
