Re: TLS

Mon, 11 Jun 2001 10:52:02 -0700 

> From:  Chris Garrigues <[EMAIL PROTECTED]>
> Date:  Mon, 11 Jun 2001 12:48:02 -0500
>
> It seems that the TLS patch might be slightly more robust when things aren't 
> completely configured.
> 
> It appears that if you have the patch applied, but you don't have a cert.pem, 
> you can't send mail to a system which does.
> 
> It seems to me that the existence of that file is being tested for later than 
> it should be.  If you don't have a cert.pem, I don't think you should be 
> even thinking about sending via TLS and shouldn't send the STARTTLS.
> 
> I've now got the patch on all my systems, but when I try to test TLS on one 
> system, my other systems can't send it email.

hmmm, the other side could be more robust as well.  It might be nice to not 
say we support STARTTLS if we don't have the key:

Trying 10.1.2.1...
Connected to deepeddy.vircio.com.
Escape character is '^]'.
220 deepeddy.vircio.com ESMTP
ehlo sequoia
250-deepeddy.vircio.com
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-AUTH LOGIN CRAM-MD5 PLAIN
250-PIPELINING
250-STARTTLS
250-SIZE 0
250 8BITMIME
starttls
454 TLS not available: missing RSA private key (#4.3.0)

This probably explains the odd netscape behavior that I saw this weekend.  
When you try to send mail from netscape under these conditions, it prompts for 
a password and then fails to send it.  (A network error occured while Netscape 
was receiving data. (Network Error: Broken pipe))  The fix was to change the
"Use Secure Socket Layer (SSL) or TLS for outgoing messages" setting from
"Never" to "If Possible".  I don't think that netscape is behaving right, but 
if we didn't claim to be able to do what we aren't doing yet, it would probably 
be better.

Meanwhile, I'm finding that even with keys on both ends, I can't send 
mail...I'll post this message and keep investigating.

Chris

-- 
Chris Garrigues                 http://www.DeepEddy.Com/~cwg/
virCIO                          http://www.virCIO.Com
4314 Avenue C                   
Austin, TX  78751-3709          +1 512 374 0500

  My email address is an experiment in SPAM elimination.  For an
  explanation of what we're doing, see http://www.DeepEddy.Com/tms.html 

    Nobody ever got fired for buying Microsoft,
      but they could get fired for relying on Microsoft.

PGP signature

Reply via email to