Hi, It seems that with with the change to 0.9.8m postfix and dovecot don't properly accept connections anymore in all cases.
In postfix's log this look like: SSL_accept:SSLv3 flush data read from 7FA27CBE5E70 [7FA27CBEF150] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF)) SSL_accept:error in SSLv3 read client certificate A SSL_accept:error in SSLv3 read client certificate A SSL_accept error from localhost[127.0.0.1]: -1 warning: TLS library problem: 26949:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146: lost connection after STARTTLS from localhost[127.0.0.1] That is with using: openssl s_client -connect localhost:25 -starttls smtp Which prints: CONNECTED(00000003) 29584:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: As far as I can tell client does exactly the same between a connection that works and one that doesn't work. The server just closes the connection. No client certificates are being used, but for some reason that gets in the error log. The "SSL_accept:error in SSLv3 read client certificate A" message is printed using the same code as in apps/s_cb.c:apps_ssl_info_callback() I can only reproduce this using postfix if I set smtpd_tls_CAfile and the file is the CA that signed my cert. I've tried various other combinations but none of them seem to trigger the problem. I can't reproduce this using s_server. Dovecot seems to be having the same problem, the log now looks like: dovecot: imap-login: Disconnected (no auth attempts): rip=91.53.xxx.yyy, lip=79.140.xxx.yyy, TLS handshaking: SSL_accept() failed: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm Note that both cases print the same "unknown message digest algorithm" error message. More information about this is at: http://bugs.debian.org/573889 Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
