Perhaps this isn't exactly the place for this question. If not, I'll take
it over to the sendmail list.
The facts:
Solaris 2.6/SPARC
sendmail 8.11.4
OpenSSL 0.9.5a
Client:
Netscape 4.74/SPARC
I'm trying to get certificate authentication working for SMTP-TLS. I have
a cert/key pair for the SMTP server, signed by our certificate authority.
It has, in /etc/mail/certs, the certificate used to sign client requests,
and the hash.0 symlink pointing to it:
pecos:(28) /etc/mail/certs> ls -la
total 11
drwxr-xr-x 2 root 512 Jul 10 15:01 .
drwxr-xr-x 3 root 512 Jul 10 10:25 ..
lrwxrwxrwx 1 root 10 Jul 10 10:18 1104c566.0 -> CAcert.pem
-r-------- 1 root 1147 Jul 10 10:16 CAcert.pem
-r-------- 1 root 1108 Jul 10 10:16 MYcert.pem
-r-------- 1 root 887 Jul 10 10:13 MYkey.pem
-r-------- 1 root 985 Jul 10 10:16 cacert.pem
lrwxrwxrwx 1 root 10 Jul 10 10:18 d41e98b2.0 -> cacert.pem
Our certificate:
-----BEGIN CERTIFICATE-----
MIIDITCCAoqgAwIBAgIBeDANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAlRYMRAwDgYDVQQHEwdIb3VzdG9uMRgwFgYDVQQKEw9SaWNlIFVu
aXZlcnNpdHkxHzAdBgNVBAsTFkluZm9ybWF0aW9uIFRlY2hub2xvZ3kxHzAdBgkq
hkiG9w0BCQEWEHByb2JsZW1AcmljZS5lZHUwHhcNMDEwNjEzMTU0MDIzWhcNMDMw
NjEzMTU0MDIzWjCBtjELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMRAwDgYD
VQQHEwdIb3VzdG9uMRgwFgYDVQQKEw9SaWNlIFVuaXZlcnNpdHkxHzAdBgNVBAsT
FkluZm9ybWF0aW9uIFRlY2hub2xvZ3kxKTAnBgNVBAMTIFJpY2UgVW5pdmVyc2l0
eSBDbGllbnQvUy1NSU1FIENBMR8wHQYJKoZIhvcNAQkBFhBwcm9ibGVtQHJpY2Uu
ZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOaNwjT5hcM40Jq59VImLS
aE6qye2Sb3XCQfK7rRNLW6iCtiROL6QDg8ClxDJ6bS4Fb8S4hzVVyh1oOU37+fal
q0CW+Xdl4us57MJVs6CnkRNebomNF/QKqD9P1GRDDbuy/42N39FtyBAABXSvOvab
r7W02ieHAGcsuQao608PewIDAQABo2swaTA1BglghkgBhvhCAQQEKBYmaHR0cDov
L2NlcnRpZmljYXRlLnJpY2UuZWR1L2NhLWNybC5wZW0wDwYJYIZIAYb4QgENBAIW
ADAMBgNVHRMEBTADAQH/MBEGCWCGSAGG+EIBAQQEAwIABzANBgkqhkiG9w0BAQQF
AAOBgQBA89+DLYtcCOkHcQm2s1As6OXMUP2VGJHUPGSOlHfP+Q0Ba0iZGRjPZ3Y3
LjYnqDcSI37JlUlImOhW1zwYHR8ID+CO1h/ugPomLnUtS7d6NrWOWDc1QvBg7wzr
B6viGcCytJy7a/K+ZIa9Ud4rKDzHpN2xh8+AWko2CyQrRZIarQ==
-----END CERTIFICATE-----
My client certificate:
subject=/C=US/ST=Texas/O=Rice University/OU=People/CN=Wyman E Miles
[EMAIL PROTECTED]
-----BEGIN CERTIFICATE-----
MIIDFzCCAoCgAwIBAgIBEzANBgkqhkiG9w0BAQQFADCBtjELMAkGA1UEBhMCVVMx
DjAMBgNVBAgTBVRleGFzMRAwDgYDVQQHEwdIb3VzdG9uMRgwFgYDVQQKEw9SaWNl
IFVuaXZlcnNpdHkxHzAdBgNVBAsTFkluZm9ybWF0aW9uIFRlY2hub2xvZ3kxKTAn
BgNVBAMTIFJpY2UgVW5pdmVyc2l0eSBDbGllbnQvUy1NSU1FIENBMR8wHQYJKoZI
hvcNAQkBFhBwcm9ibGVtQHJpY2UuZWR1MB4XDTAxMDcxMDE3NTAyNFoXDTAyMDcx
MDE3NTAyNFowgYsxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVUZXhhczEYMBYGA1UE
ChMPUmljZSBVbml2ZXJzaXR5MQ8wDQYDVQQLEwZQZW9wbGUxITAfBgNVBAMTGFd5
bWFuIEUgTWlsZXMgMjcyN2Q1ZGFhZjEeMBwGCSqGSIb3DQEJARYPd3ltYW5tQHJp
Y2UuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1elL14vKEMekbC1pq
okMnjSxmj3mgCTZLdSqHOzpCxDo33wMCyobusgy1Glf7Tcu7X76MTGmmXwCrzC8W
F1pznY2M+7NDFGIxKxOwrsAOnts3l1Ua0MHmAZn2OIsbiDf4lHxyD/I2mE6Mtqc7
ZQgKNmCcdF+AlpIdSQk2SzxlgQIDAQABo14wXDA2BglghkgBhvhCAQQEKRYnaHR0
cHM6Ly9jZXJ0aWZpY2F0ZS5yaWNlLmVkdS9jYS1jcmwucGVtMA8GCWCGSAGG+EIB
DQQCFgAwEQYJYIZIAYb4QgEBBAQDAgWgMA0GCSqGSIb3DQEBBAUAA4GBAB7odtD4
taRJxBna7IGe8leBt8WXfe1Rnv/122O35fey/5BiLNq06sHz5qjxiM4rzTfjF34r
KM3LWNQXzUDwbeCqNa58TDKieQTqPRkk0MoaXZ3lxDwVPxJauVa48YIr2Xxm2J68
E68Ke4VnFmJOQ+PSVwA+1O6cyAmHDNkXvB6U
-----END CERTIFICATE-----
And, last but not least, the error:
Jul 10 10:23:44 pecos.is.rice.edu sendmail[12982]: TLS cert verify:
depth=1 /C=US/ST=Texas/L=Houston/O=Rice University/OU=Information Technology/CN=Rice
University Client/S-MIME [EMAIL PROTECTED], state=0, reason=certificate
signature failure
When I use the same certificate versus our mod_ssl server, the
authentication goes off without a hitch. Any ideas how to solve this
problem?
Wyman Miles
Senior Systems Administrator, Rice University, Texas.
(713) 348-5827, e-mail:[EMAIL PROTECTED], pager:[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
