On Mon, 16 Feb 2015 15:20:48 -0300, Hugo Osvaldo Barrera <[email protected]> said: | On 2015-02-16 19:19, Ashish SHUKLA wrote: || Since this fails at SSL/TLS negotiation, I would try connecting via each || protocol to figure out where it's failing: || || --8<---------------cut here---------------start------------->8--- || for i in ssl3 tls1 tls1_1 tls1_2; do || echo -------------------- || echo $i || echo -------------------- || echo QUIT |openssl s_client -quiet -CAfile \ || /usr/local/share/certs/ca-root-nss.crt -$i -connect $hostname:25 \ || -starttls smtp || done || --8<---------------cut here---------------end--------------->8--- || || If it only happens with SSLv3, then I guess it's due to SSLv3 support being || disabled in codebase. || || HTH
| I'm only getting an error validating the issuer (which I believe is emited
| client-side, right?). But I'm not sure why my local installation is searching
| for the CAs in that location:
| --------------------
| ssl3
| --------------------
| 140396859192976:error:02001002:system library:fopen:No such file or
directory:bss_file.c:168:fopen('/usr/local/share/certs/ca-root-nss.crt','r')
| 140396859192976:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:171:
| 140396859192976:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:253:
| 140396859192976:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure:s3_pkt.c:1456:SSL alert number 40
| 140396859192976:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake
failure:s3_pkt.c:644:
| --------------------
| tls1
| --------------------
| 139719128671888:error:02001002:system library:fopen:No such file or
directory:bss_file.c:168:fopen('/usr/local/share/certs/ca-root-nss.crt','r')
| 139719128671888:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:171:
| 139719128671888:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:253:
| depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing,
CN = StartCom Class 1 Primary Intermediate Server CA
| verify error:num=20:unable to get local issuer certificate
| 250 HELP
| 221 2.0.0: Bye
| read:errno=0
| --------------------
| tls1_1
| --------------------
| 140657221531280:error:02001002:system library:fopen:No such file or
directory:bss_file.c:168:fopen('/usr/local/share/certs/ca-root-nss.crt','r')
| 140657221531280:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:171:
| 140657221531280:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:253:
| depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing,
CN = StartCom Class 1 Primary Intermediate Server CA
| verify error:num=20:unable to get local issuer certificate
| 250 HELP
| 221 2.0.0: Bye
| read:errno=0
| --------------------
| tls1_2
| --------------------
| 140242839791248:error:02001002:system library:fopen:No such file or
directory:bss_file.c:168:fopen('/usr/local/share/certs/ca-root-nss.crt','r')
| 140242839791248:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:171:
| 140242839791248:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:253:
| depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing,
CN = StartCom Class 1 Primary Intermediate Server CA
| verify error:num=20:unable to get local issuer certificate
| 250 HELP
| 221 2.0.0: Bye
| read:errno=0
| Server-side output:
| Feb 16 18:02:53 hydrogen smtpd[98431]: smtp-in: New session 51d510206fc35c4a
from host hyperion.barrera.io [190.210.108.249]
| Feb 16 18:02:53 hydrogen smtpd[98431]: smtp-in: Disconnecting session
51d510206fc35c4a: IO error: error:1408A10B:SSL
routines:SSL3_GET_CLIENT_HELLO:wrong version number
| Feb 16 18:02:54 hydrogen smtpd[98431]: smtp-in: New session 51d510255c37bd0f
from host athena.barrera.io [190.210.108.249]
| Feb 16 18:02:55 hydrogen smtpd[98431]: smtp-in: Started TLS on session
51d510255c37bd0f: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-SHA, bits=256
| Feb 16 18:02:55 hydrogen smtpd[98431]: smtp-in: Closing session
51d510255c37bd0f
| Feb 16 18:02:56 hydrogen smtpd[98431]: smtp-in: New session 51d5102a1953d775
from host athena.barrera.io [190.210.108.249]
| Feb 16 18:02:57 hydrogen smtpd[98431]: smtp-in: Started TLS on session
51d5102a1953d775: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-SHA, bits=256
| Feb 16 18:02:57 hydrogen smtpd[98431]: smtp-in: Closing session
51d5102a1953d775
| Feb 16 18:02:58 hydrogen smtpd[98431]: smtp-in: New session 51d5102f86107152
from host athena.barrera.io [190.210.108.249]
| Feb 16 18:02:59 hydrogen smtpd[98431]: smtp-in: Started TLS on session
51d5102f86107152: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-GCM-SHA384,
bits=256
| Feb 16 18:02:59 hydrogen smtpd[98431]: smtp-in: Closing session
51d5102f86107152
| #####
| If I'm mistaken and the error is emited server-side, then that file *does*
| exist on the server:
| /usr/local/share/certs/ca-root-nss.crt exists
Ignoring the certificate issues, it seems like the error is caused by trying
to use SSLv3 protocol, same error message as in your original post.
The certificate path corresponds to the `ca_root_nss package' on FreeBSD, can
replace it with /etc/ssl/cert.pem (or the equivalent) to pass certificate
verification, and comes from 'openssl s_client'..
| But why would the server need to check it's own certificate? I've chained my
| certificate withe the CA's intermediate, do I need to CA's root too? (I'd be
| curious if I did, because the same chain work fine on OpenBSD).
CA's intermediate certificate is good enough, no need to pass root
certificate.
| #####
| That aside, I noticed the server output is *different* when I try to send an
| email via thunderbird (which I'm using for testing):
| Feb 16 18:07:02 hydrogen smtpd[98431]: smtp-in: New session 51d5105c9fc4b623
from host hyperion.barrera.io [190.210.108.249]
| Feb 16 18:07:03 hydrogen smtpd[98431]: smtp-in: Disconnecting session
51d5105c9fc4b623: IO error: error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1
alert access denied
It seems like certificate verification is failing here.
| Is smtpd doing something different with thunderbird's connection? I've set it
| up to use STARTTLS too, on port 587.
| My config is:
| pki mail.asteq.com.ar certificate "/etc/ssl/certs/mail.asteq.com.ar.crt"
| pki mail.asteq.com.ar key "/etc/ssl/certs/mail.asteq.com.ar.key"
| table credentials file:/usr/local/etc/mail/credentials
| listen on localhost
| listen on vtnet0 port smtp tls hostname
mail.asteq.com.ar
| listen on vtnet0 port submission tls-require auth <credentials> hostname
mail.asteq.com.ar
| Thanks.
| On 2015-02-16 09:52, Seth wrote:
|| Try switching out OpenSSL with LibreSSL and see if you can reproduce the
| I'll give that a try in a bit. Thanks,
| --
| Hugo Osvaldo Barrera
| A: Because we read from top to bottom, left to right.
| Q: Why should I start my reply below the quoted text?
HTH
--
Ashish SHUKLA
“So, again we are defeated. This victory belongs to the farmers, not us.”
(Kambei Shimada, "Seven Samurai")
Sent from my Emacs
signature.asc
Description: PGP signature
