On Thu, Apr 30, 2015 at 10:29:29AM +0300, Birta Levente wrote:
> On 30/04/2015 10:17, Viktor Dukhovni wrote:
> >On Thu, Apr 30, 2015 at 10:09:36AM +0300, Birta Levente wrote:
> >
> >>OK, I found the problem:
> >>I had configured the smtp_tls_CAfile. Removing everything works fine.
> >Was the file malformed? I have a hard time imagining any non-empty
> >set of well-formed certs in that file causing the problem you
> >describe. Did the file contain any PEM X.509 certificates?
> >
> >Does:
> >
> > $ cafile=<your former CAfile>
> > $ openssl crl2pkcs7 -nocrl -certfile "$cafile" |
> > openssl pkcs7 -print_certs -noout |
> > grep -c '^issuer='
> >
> >report any errors to stderr? How many issuers were reported by
> >grep?
> >
>
> No error and only 1 issuer, which was the cacert.org root certificate
Can you reproduce the problem by using "-CAfile $cafile" with
s_client(1)? I don't see how adding a trusted CA can break the
handshake if the CA is well formed.
Please provide more information. Please attach a gzipped copy of
the CAfile after making sure putting it back restores the problem.
--
Viktor.
