Re: Mutt cannot sent mail in OpenBsd

Fri, 08 Jul 2022 12:53:12 -0700 

Indeed , OpenBSD uses LibreSSL 3.5.2 and my Artix Linux runs Openssl
The LibreSSL says : Verify return code: 20 (unable to get local issuer certificate) And the OpenSSL says : Verify return code: 21 (unable to verify the first certificate) 

Here is the diff from both.

4,5c4,5
<  0 s:CN = mail.thinkerwim.org
<    i:C = US, O = Let's Encrypt, CN = R3
---
>  0 s:/CN=mail.thinkerwim.org
>    i:/C=US/O=Let's Encrypt/CN=R3
44,47c44,45
< subject=CN = mail.thinkerwim.org
<
< issuer=C = US, O = Let's Encrypt, CN = R3
<
---
> subject=/CN=mail.thinkerwim.org
> issuer=/C=US/O=Let's Encrypt/CN=R3
50,52c48
< Peer signing digest: SHA256
< Peer signature type: RSA-PSS
< Server Temp Key: X25519, 253 bits
---
> Server Temp Key: ECDH, X25519, 253 bits
54,55c50
< SSL handshake has read 2663 bytes and written 434 bytes
< Verification error: unable to verify the first certificate
---
> SSL handshake has read 2662 bytes and written 430 bytes
57c52
< New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
---
> New, TLSv1/SSLv3, Cipher is TLS_AES_256_GCM_SHA384
63,64c58,66
< Early data was not sent
< Verify return code: 21 (unable to verify the first certificate)
---
> SSL-Session:
>     Protocol  : TLSv1.3
>     Cipher    : TLS_AES_256_GCM_SHA384
>     Session-ID:
>     Session-ID-ctx:
>     Master-Key:
>     Start Time: 1657308952
>     Timeout   : 7200 (sec)
>     Verify return code: 20 (unable to get local issuer certificate)


I guess I'll look into the manual of LibreSSL :-).

Thanks for pointing me in the good direction.

Wim Stockman


On 7/8/22 20:41, Zé Loff wrote:

On Fri, Jul 08, 2022 at 07:22:51PM +0200, Wim wrote:

The strange thing is that the client machine and server are the same...

The client's not necessarily the same.  Linux might be using OpenSSL,
OpenBSD is almost certainly using LibreSSL, there might be differences
on the root certificates accepted by each OS, etc.

Compare the output of

     openssl s_client -showcerts -servername mail.thinkerwim.org -connect 
mail.thinkerwim.org:587 -starttls smtp

and check for differences.


Maybe Mut looks into the wrong place. I installed mutt from the openbsd package 
and using openbsd 7.1

Thanks for the help.
Kind regards
Wim

Philipp Buehler <[email protected]> schreef op 8 juli 
2022 16:31:31 CEST:

Am 08.07.2022 15:49 schrieb Dave Voutila:


$ openssl s_client -showcerts -servername mail.thinkerwim.org -connect
mail.thinkerwim.org:587

`-starttls smtp` helps a lot. The cert is there (also on :25 ftm) and signed by 
LE.

The rub is that the mutt client machine does not know that issuer,
See openssl documentation how to do this.

HTH
--
pb

Reply via email to