> [[email protected] - Mon Mar 22 09:48:17 2010]: > > As far as I can tell client does exactly the same between a connection > that works and one that doesn't work. The server just closes the > connection. > > No client certificates are being used, but for some reason that gets > in the error log. The "SSL_accept:error in SSLv3 read client > certificate A" > message is printed using the same code as in > apps/s_cb.c:apps_ssl_info_callback() > > I can only reproduce this using postfix if I set smtpd_tls_CAfile and > the file is the CA that signed my cert. I've tried various other > combinations but none of them seem to trigger the problem. > > I can't reproduce this using s_server. > > > Dovecot seems to be having the same problem, the log now looks like: > dovecot: imap-login: Disconnected (no auth attempts): > rip=91.53.xxx.yyy, lip=79.140.xxx.yyy, TLS handshaking: > SSL_accept() failed: error:0D0C50A1:asn1 encoding > routines:ASN1_item_verify:unknown message digest algorithm > > Note that both cases print the same "unknown message digest > algorithm" error message. >
I notice that the certificate in question is using SHA256. Do the affected applications call SSL_library_init() only and not OpenSSL_add_all_algorithms()? If so I'd suggest adding a call to OpenSSL_add_all_algorithms() to the application too: if that isn't present it would fail anyway if client certificates used SHA256. I think though that error could be bogus and it is confusing other routines later on. In ssl/s3_both.c try adding a call to ERR_clear_error() after X509_verify_cert() and see if that resolves the problem. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
