On 2015-02-16 19:19, Ashish SHUKLA wrote: > Since this fails at SSL/TLS negotiation, I would try connecting via each > protocol to figure out where it's failing: > > --8<---------------cut here---------------start------------->8--- > for i in ssl3 tls1 tls1_1 tls1_2; do > echo -------------------- > echo $i > echo -------------------- > echo QUIT |openssl s_client -quiet -CAfile \ > /usr/local/share/certs/ca-root-nss.crt -$i -connect $hostname:25 \ > -starttls smtp > done > --8<---------------cut here---------------end--------------->8--- > > If it only happens with SSLv3, then I guess it's due to SSLv3 support being > disabled in codebase. > > HTH
I'm only getting an error validating the issuer (which I believe is emited
client-side, right?). But I'm not sure why my local installation is searching
for the CAs in that location:
--------------------
ssl3
--------------------
140396859192976:error:02001002:system library:fopen:No such file or
directory:bss_file.c:168:fopen('/usr/local/share/certs/ca-root-nss.crt','r')
140396859192976:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:171:
140396859192976:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:253:
140396859192976:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure:s3_pkt.c:1456:SSL alert number 40
140396859192976:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake
failure:s3_pkt.c:644:
--------------------
tls1
--------------------
139719128671888:error:02001002:system library:fopen:No such file or
directory:bss_file.c:168:fopen('/usr/local/share/certs/ca-root-nss.crt','r')
139719128671888:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:171:
139719128671888:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:253:
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN
= StartCom Class 1 Primary Intermediate Server CA
verify error:num=20:unable to get local issuer certificate
250 HELP
221 2.0.0: Bye
read:errno=0
--------------------
tls1_1
--------------------
140657221531280:error:02001002:system library:fopen:No such file or
directory:bss_file.c:168:fopen('/usr/local/share/certs/ca-root-nss.crt','r')
140657221531280:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:171:
140657221531280:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:253:
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN
= StartCom Class 1 Primary Intermediate Server CA
verify error:num=20:unable to get local issuer certificate
250 HELP
221 2.0.0: Bye
read:errno=0
--------------------
tls1_2
--------------------
140242839791248:error:02001002:system library:fopen:No such file or
directory:bss_file.c:168:fopen('/usr/local/share/certs/ca-root-nss.crt','r')
140242839791248:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:171:
140242839791248:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:253:
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN
= StartCom Class 1 Primary Intermediate Server CA
verify error:num=20:unable to get local issuer certificate
250 HELP
221 2.0.0: Bye
read:errno=0
Server-side output:
Feb 16 18:02:53 hydrogen smtpd[98431]: smtp-in: New session 51d510206fc35c4a
from host hyperion.barrera.io [190.210.108.249]
Feb 16 18:02:53 hydrogen smtpd[98431]: smtp-in: Disconnecting session
51d510206fc35c4a: IO error: error:1408A10B:SSL
routines:SSL3_GET_CLIENT_HELLO:wrong version number
Feb 16 18:02:54 hydrogen smtpd[98431]: smtp-in: New session 51d510255c37bd0f
from host athena.barrera.io [190.210.108.249]
Feb 16 18:02:55 hydrogen smtpd[98431]: smtp-in: Started TLS on session
51d510255c37bd0f: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-SHA, bits=256
Feb 16 18:02:55 hydrogen smtpd[98431]: smtp-in: Closing session 51d510255c37bd0f
Feb 16 18:02:56 hydrogen smtpd[98431]: smtp-in: New session 51d5102a1953d775
from host athena.barrera.io [190.210.108.249]
Feb 16 18:02:57 hydrogen smtpd[98431]: smtp-in: Started TLS on session
51d5102a1953d775: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-SHA, bits=256
Feb 16 18:02:57 hydrogen smtpd[98431]: smtp-in: Closing session 51d5102a1953d775
Feb 16 18:02:58 hydrogen smtpd[98431]: smtp-in: New session 51d5102f86107152
from host athena.barrera.io [190.210.108.249]
Feb 16 18:02:59 hydrogen smtpd[98431]: smtp-in: Started TLS on session
51d5102f86107152: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-GCM-SHA384,
bits=256
Feb 16 18:02:59 hydrogen smtpd[98431]: smtp-in: Closing session 51d5102f86107152
#####
If I'm mistaken and the error is emited server-side, then that file *does*
exist on the server:
/usr/local/share/certs/ca-root-nss.crt exists
But why would the server need to check it's own certificate? I've chained my
certificate withe the CA's intermediate, do I need to CA's root too? (I'd be
curious if I did, because the same chain work fine on OpenBSD).
#####
That aside, I noticed the server output is *different* when I try to send an
email via thunderbird (which I'm using for testing):
Feb 16 18:07:02 hydrogen smtpd[98431]: smtp-in: New session 51d5105c9fc4b623
from host hyperion.barrera.io [190.210.108.249]
Feb 16 18:07:03 hydrogen smtpd[98431]: smtp-in: Disconnecting session
51d5105c9fc4b623: IO error: error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1
alert access denied
Is smtpd doing something different with thunderbird's connection? I've set it
up to use STARTTLS too, on port 587.
My config is:
pki mail.asteq.com.ar certificate "/etc/ssl/certs/mail.asteq.com.ar.crt"
pki mail.asteq.com.ar key "/etc/ssl/certs/mail.asteq.com.ar.key"
table credentials file:/usr/local/etc/mail/credentials
listen on localhost
listen on vtnet0 port smtp tls hostname
mail.asteq.com.ar
listen on vtnet0 port submission tls-require auth <credentials> hostname
mail.asteq.com.ar
Thanks.
On 2015-02-16 09:52, Seth wrote:
> Try switching out OpenSSL with LibreSSL and see if you can reproduce the
I'll give that a try in a bit. Thanks,
--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?
signature.asc
Description: PGP signature
