On Mon, Dec 21, 2020 at 12:30:57PM -0500, James B. Byrne wrote:
> Dec 21 12:25:21 mx32 postfix-p25/smtpd[62565]: warning:
> TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:
> sslv3 alert certificate unknown:
> /usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:
> SSL alert number 46:
> Dec 21 12:25:21 mx32 postfix-p25/smtpd[62565]:
> lost connection after STARTTLS
> from accounting-2.internal.harte-lyne.ca[192.168.216.88]
>
> I believe that this is telling me that the application is attempting to
> establish an SSL connection using STARTTLS.
Yes, the application and the Postfix server are attempting to complete
a TLS handshake, indeed after STARTTLS.
> However, the error referencing the
> certificate is mystifying to me.
>
> Can someone explain to me what this error means?
- The Postfix SMTP server is reporting an error from the underlying
OpenSSL library.
- That error is receipt of a fatal "SSL alert", i.e. a courtesy message
from the *client* that it cannot complete the handshake, and is giving up.
- Instead of just disconnecting, the client indicates the reason why it
can't go on.
- The specific reason is that the clien is unhappy with the server's
certificate.
SSLv3 is a red herring, the TLS protocol (1.0 through 1.2) evolved from
of SSLv3 and shares much code with the original (now deprecated) SSLv3.
While TLS 1.3 is a significant departure, it too still shares some of
the underpinnings, so you'll see "sslv3" in error messages for all
protocol versions from SSLv3 through TLS 1.3.
--
Viktor.
