On 2015-02-18 20:13, Ashish SHUKLA wrote: > On Mon, 16 Feb 2015 15:20:48 -0300, Hugo Osvaldo Barrera <[email protected]> > said: > | On 2015-02-16 19:19, Ashish SHUKLA wrote: > || Since this fails at SSL/TLS negotiation, I would try connecting via each > || protocol to figure out where it's failing: > || > || --8<---------------cut here---------------start------------->8--- > || for i in ssl3 tls1 tls1_1 tls1_2; do > || echo -------------------- > || echo $i > || echo -------------------- > || echo QUIT |openssl s_client -quiet -CAfile \ > || /usr/local/share/certs/ca-root-nss.crt -$i -connect $hostname:25 \ > || -starttls smtp > || done > || --8<---------------cut here---------------end--------------->8--- > || > || If it only happens with SSLv3, then I guess it's due to SSLv3 support being > || disabled in codebase. > || > || HTH > > | I'm only getting an error validating the issuer (which I believe is emited > | client-side, right?). But I'm not sure why my local installation is > searching > | for the CAs in that location: > > | -------------------- > | ssl3 > | -------------------- > | 140396859192976:error:02001002:system library:fopen:No such file or > directory:bss_file.c:168:fopen('/usr/local/share/certs/ca-root-nss.crt','r') > | 140396859192976:error:2006D080:BIO routines:BIO_new_file:no such > file:bss_file.c:171: > | 140396859192976:error:0B084002:x509 certificate > routines:X509_load_cert_crl_file:system lib:by_file.c:253: > | 140396859192976:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert > handshake failure:s3_pkt.c:1456:SSL alert number 40 > | 140396859192976:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake > failure:s3_pkt.c:644: > > | -------------------- > | tls1 > | -------------------- > | 139719128671888:error:02001002:system library:fopen:No such file or > directory:bss_file.c:168:fopen('/usr/local/share/certs/ca-root-nss.crt','r') > | 139719128671888:error:2006D080:BIO routines:BIO_new_file:no such > file:bss_file.c:171: > | 139719128671888:error:0B084002:x509 certificate > routines:X509_load_cert_crl_file:system lib:by_file.c:253: > | depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, > CN = StartCom Class 1 Primary Intermediate Server CA > | verify error:num=20:unable to get local issuer certificate > | 250 HELP > | 221 2.0.0: Bye > | read:errno=0 > > | -------------------- > | tls1_1 > | -------------------- > | 140657221531280:error:02001002:system library:fopen:No such file or > directory:bss_file.c:168:fopen('/usr/local/share/certs/ca-root-nss.crt','r') > | 140657221531280:error:2006D080:BIO routines:BIO_new_file:no such > file:bss_file.c:171: > | 140657221531280:error:0B084002:x509 certificate > routines:X509_load_cert_crl_file:system lib:by_file.c:253: > | depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, > CN = StartCom Class 1 Primary Intermediate Server CA > | verify error:num=20:unable to get local issuer certificate > | 250 HELP > | 221 2.0.0: Bye > | read:errno=0 > > | -------------------- > | tls1_2 > | -------------------- > | 140242839791248:error:02001002:system library:fopen:No such file or > directory:bss_file.c:168:fopen('/usr/local/share/certs/ca-root-nss.crt','r') > | 140242839791248:error:2006D080:BIO routines:BIO_new_file:no such > file:bss_file.c:171: > | 140242839791248:error:0B084002:x509 certificate > routines:X509_load_cert_crl_file:system lib:by_file.c:253: > | depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, > CN = StartCom Class 1 Primary Intermediate Server CA > | verify error:num=20:unable to get local issuer certificate > | 250 HELP > | 221 2.0.0: Bye > | read:errno=0 > > > | Server-side output: > > | Feb 16 18:02:53 hydrogen smtpd[98431]: smtp-in: New session > 51d510206fc35c4a from host hyperion.barrera.io [190.210.108.249] > | Feb 16 18:02:53 hydrogen smtpd[98431]: smtp-in: Disconnecting session > 51d510206fc35c4a: IO error: error:1408A10B:SSL > routines:SSL3_GET_CLIENT_HELLO:wrong version number > | Feb 16 18:02:54 hydrogen smtpd[98431]: smtp-in: New session > 51d510255c37bd0f from host athena.barrera.io [190.210.108.249] > | Feb 16 18:02:55 hydrogen smtpd[98431]: smtp-in: Started TLS on session > 51d510255c37bd0f: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-SHA, bits=256 > | Feb 16 18:02:55 hydrogen smtpd[98431]: smtp-in: Closing session > 51d510255c37bd0f > | Feb 16 18:02:56 hydrogen smtpd[98431]: smtp-in: New session > 51d5102a1953d775 from host athena.barrera.io [190.210.108.249] > | Feb 16 18:02:57 hydrogen smtpd[98431]: smtp-in: Started TLS on session > 51d5102a1953d775: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-SHA, bits=256 > | Feb 16 18:02:57 hydrogen smtpd[98431]: smtp-in: Closing session > 51d5102a1953d775 > | Feb 16 18:02:58 hydrogen smtpd[98431]: smtp-in: New session > 51d5102f86107152 from host athena.barrera.io [190.210.108.249] > | Feb 16 18:02:59 hydrogen smtpd[98431]: smtp-in: Started TLS on session > 51d5102f86107152: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-GCM-SHA384, > bits=256 > | Feb 16 18:02:59 hydrogen smtpd[98431]: smtp-in: Closing session > 51d5102f86107152 > > | ##### > > | If I'm mistaken and the error is emited server-side, then that file *does* > | exist on the server: > > | /usr/local/share/certs/ca-root-nss.crt exists > > > Ignoring the certificate issues, it seems like the error is caused by trying > to use SSLv3 protocol, same error message as in your original post. > > The certificate path corresponds to the `ca_root_nss package' on FreeBSD, can > replace it with /etc/ssl/cert.pem (or the equivalent) to pass certificate > verification, and comes from 'openssl s_client'.. >
Oh, so it's the s_client not looking for the CAs in the right place. No biggie here. > | But why would the server need to check it's own certificate? I've chained my > | certificate withe the CA's intermediate, do I need to CA's root too? (I'd be > | curious if I did, because the same chain work fine on OpenBSD). > > CA's intermediate certificate is good enough, no need to pass root > certificate. > > | ##### > > | That aside, I noticed the server output is *different* when I try to send an > | email via thunderbird (which I'm using for testing): > > | Feb 16 18:07:02 hydrogen smtpd[98431]: smtp-in: New session > 51d5105c9fc4b623 from host hyperion.barrera.io [190.210.108.249] > | Feb 16 18:07:03 hydrogen smtpd[98431]: smtp-in: Disconnecting session > 51d5105c9fc4b623: IO error: error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 > alert access denied > > It seems like certificate verification is failing here. > Why? The client doesn't present any certificate, why is the server validating it's own certificate? > | Is smtpd doing something different with thunderbird's connection? I've set > it > | up to use STARTTLS too, on port 587. > > | My config is: > > | pki mail.asteq.com.ar certificate "/etc/ssl/certs/mail.asteq.com.ar.crt" > | pki mail.asteq.com.ar key "/etc/ssl/certs/mail.asteq.com.ar.key" > > | table credentials file:/usr/local/etc/mail/credentials > > | listen on localhost > | listen on vtnet0 port smtp tls hostname > mail.asteq.com.ar > | listen on vtnet0 port submission tls-require auth <credentials> hostname > mail.asteq.com.ar > > | Thanks. > > | On 2015-02-16 09:52, Seth wrote: > || Try switching out OpenSSL with LibreSSL and see if you can reproduce the > > | I'll give that a try in a bit. Thanks, > > | -- > | Hugo Osvaldo Barrera > | A: Because we read from top to bottom, left to right. > | Q: Why should I start my reply below the quoted text? > > > HTH > -- > Ashish SHUKLA > > “So, again we are defeated. This victory belongs to the farmers, not us.” > (Kambei Shimada, "Seven Samurai") > > Sent from my Emacs I deleted ~/.thunderbird from my machine, set the test profile up again, and it worked fine. I'm amazed at the error message I was getting on the client side - and even more at why the above message with opensmtpd failing to validate it's own certificate. Did I somehow trigger a bug somewhere that I've now lost the capability to reproduce? Thanks, -- Hugo Osvaldo Barrera A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text?
signature.asc
Description: PGP signature
