Re: SSL / SMTP
On Wed, Apr 17, 2013, Joan Moreau wrote: > Le 16/04/2013 15:11, Joan Moreau a écrit : > > >Hi, > > > >Since I upgraded my kernel (and rebuilt openssl), I get the > >following errors in Postfix: > > > >2013-04-15T13:55:29.921960+02:00 server postfix/smtpd[3308]: > >warning: TLS library problem: 3308:error:1411C146:SSL > >routines:tls1_prf:unsupported digest type:t1_enc.c:276: > > > >2013-04-15T13:55:29.921966+02:00 server postfix/smtpd[3308]: > >warning: TLS library problem: 3308:error:140D308A:SSL > >routines:TLS1_SETUP_KEY_BLOCK:cipher or hash > >unavailable:t1_enc.c:597: > > > >while the postfix system has worked since ages. > > > >I went back to the old kernel, but the error persists. > > > >Do you have an hint ? > > > >Thank you > > > >Joan > > > Actually, the complete log error is the following: > 2013-04-17T09:17:14.283129+02:00 server postfix/smtpd[16725]: > initializing the server-side TLS engine > 2013-04-17T09:17:14.383298+02:00 server postfix/smtpd[16725]: > connect from wana-25-254-12-196.wanamaroc.com[196.12.254.25] > 2013-04-17T09:17:14.383313+02:00 server postfix/smtpd[16725]: > setting up TLS connection from > wana-25-254-12-196.wanamaroc.com[196.12.254.25] > 2013-04-17T09:17:14.383382+02:00 server postfix/smtpd[16725]: > wana-25-254-12-196.wanamaroc.com[196.12.254.25]: TLS cipher list > "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH" > 2013-04-17T09:17:14.383617+02:00 server postfix/smtpd[16725]: > SSL_accept:before/accept initialization > 2013-04-17T09:17:14.383702+02:00 server postfix/smtpd[16725]: > SSL_accept:SSLv3 read client hello A > 2013-04-17T09:17:14.383710+02:00 server postfix/smtpd[16725]: > SSL_accept:SSLv3 write server hello A > 2013-04-17T09:17:14.383712+02:00 server postfix/smtpd[16725]: > SSL_accept:SSLv3 write certificate A > 2013-04-17T09:17:14.385694+02:00 server postfix/smtpd[16725]: > SSL_accept:SSLv3 write key exchange A > 2013-04-17T09:17:14.385710+02:00 server postfix/smtpd[16725]: > SSL_accept:SSLv3 write server done A > 2013-04-17T09:17:14.385720+02:00 server postfix/smtpd[16725]: > SSL_accept:SSLv3 flush data > 2013-04-17T09:17:36.573635+02:00 server postfix/smtpd[16725]: > SSL_accept:SSLv3 read client key exchange A > 2013-04-17T09:17:36.573659+02:00 server postfix/smtpd[16725]: > SSL_accept:error in SSLv3 read certificate verify A > 2013-04-17T09:17:36.573665+02:00 server postfix/smtpd[16725]: > SSL_accept error from > wana-25-254-12-196.wanamaroc.com[196.12.254.25]: -1 > 2013-04-17T09:17:36.573670+02:00 server postfix/smtpd[16725]: > warning: TLS library problem: 16725:error:1411C146:SSL > routines:tls1_prf:unsupported digest type:t1_enc.c:276: > 2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]: > warning: TLS library problem: 16725:error:140D308A:SSL > routines:TLS1_SETUP_KEY_BLOCK:cipher or hash > unavailable:t1_enc.c:597: > 2013-04-17T09:17:36.573971+02:00 server postfix/smtpd[16725]: lost > connection after CONNECT from > wana-25-254-12-196.wanamaroc.com[196.12.254.25] > > Can you help ? > This is presumably OpenSSL 1.0.1. Do you get that error when connection with TLS 1.2 only or for TLS 1.1 or earlier? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: SSL / SMTP
Le 17/04/2013 18:40, Joan Moreau a écrit : Le 17/04/2013 14:18, Viktor Dukhovni a écrit : On Wed, Apr 17, 2013 at 07:24:23AM +, Joan Moreau wrote: 2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]: warning: TLS library problem: 16725:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597: 2013-04-17T09:17:36.573971+02:00 server postfix/smtpd[16725]: lost connection after CONNECT from wana-25-254-12-196.wanamaroc.com[196.12.254.25] Can you help ? No. Install a fresh O/S image on new hardware and use that as your mail server. If a fresh install with the default Postfix for the O/S does not work, come back to the Postfix-users list for help. You've already consumed a lot of cycles on the Postfix-users list. Now you are trying the openssl-users list without referencing the prior long thread which shows your system to be messed up. Please Viktor, I don't need your insults and mis-behaving and lack of politeness. My system is not "messed up", I have thousands of people working with since ages. Now, i'll appreciate very much some help instead of those useless attacks. Reading the mentioned postfix-users thread, it seems Viktor is right, you messed up with your server, compiling and installing your own cutting-edge kernels and binaries, without using a package manager, on a production server. You may try to locate the libraries that have been used during compilation, and the ones that are used by your running postfix, and compare them. The first answer is to be found somewhere in the compilation logs, the answer to the second question can be found running the following: ps faux | grep postfix | awk '{ print $2 }' | xargs -L 1 lsof -p | grep -E "libcrypto|libssl" considering that your postfix binary runs under the identity "postfix", and that you're root (or add a sudo before xargs). I don't think It's a SHA2 error, as I'm rejected by your server when I contact it with RC4-SHA (something that is permitted by your ciphersuite string). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL / SMTP
On Wed, Apr 17, 2013 at 04:40:55PM +, Joan Moreau wrote: > >No. Install a fresh O/S image on new hardware and use that as your > >mail server. If a fresh install with the default Postfix for the > >O/S does not work, come back to the Postfix-users list for help. > > > >You've already consumed a lot of cycles on the Postfix-users list. > >Now you are trying the openssl-users list without referencing the > >prior long thread which shows your system to be messed up. > > > Please Viktor, I don't need your insults and mis-behaving and lack > of politeness. I did my best to help you. Your best way forward is to install Postfix on a server that is in a known working state (not messed-up, whatever, ...). You don't have an OpenSSL problem, you already demonstrated this in the Postfix list thread, where s_client and s_server worked fine. You have a problem with Postfix in an environment whose integrity is strongly suspect, and where Postfix links to a libssl whose calls into libcrypto fail to find any supported digest algorithms, despite apparent correctness of header files, library versions, ... All the easy causes have been ruled out. You can continue to waste time and hope for a miracle, or you can do the right thing and build a working system, where you either use the bundled Postfix, or compile Postfix from source against the default system OpenSSL library. Over and out. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL / SMTP
Le 17/04/2013 14:18, Viktor Dukhovni a écrit : On Wed, Apr 17, 2013 at 07:24:23AM +, Joan Moreau wrote: 2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]: warning: TLS library problem: 16725:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597: 2013-04-17T09:17:36.573971+02:00 server postfix/smtpd[16725]: lost connection after CONNECT from wana-25-254-12-196.wanamaroc.com[196.12.254.25] Can you help ? No. Install a fresh O/S image on new hardware and use that as your mail server. If a fresh install with the default Postfix for the O/S does not work, come back to the Postfix-users list for help. You've already consumed a lot of cycles on the Postfix-users list. Now you are trying the openssl-users list without referencing the prior long thread which shows your system to be messed up. Please Viktor, I don't need your insults and mis-behaving and lack of politeness. My system is not "messed up", I have thousands of people working with since ages. Now, i'll appreciate very much some help instead of those useless attacks. Thank you __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL / SMTP
On Wed, Apr 17, 2013 at 07:24:23AM +, Joan Moreau wrote: > 2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]: > warning: TLS library problem: 16725:error:140D308A:SSL > routines:TLS1_SETUP_KEY_BLOCK:cipher or hash > unavailable:t1_enc.c:597: > 2013-04-17T09:17:36.573971+02:00 server postfix/smtpd[16725]: lost > connection after CONNECT from > wana-25-254-12-196.wanamaroc.com[196.12.254.25] > > Can you help ? No. Install a fresh O/S image on new hardware and use that as your mail server. If a fresh install with the default Postfix for the O/S does not work, come back to the Postfix-users list for help. You've already consumed a lot of cycles on the Postfix-users list. Now you are trying the openssl-users list without referencing the prior long thread which shows your system to be messed up. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL / SMTP
Le 16/04/2013 15:11, Joan Moreau a écrit : Hi, Since I upgraded my kernel (and rebuilt openssl), I get the following errors in Postfix: 2013-04-15T13:55:29.921960+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-15T13:55:29.921966+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597: while the postfix system has worked since ages. I went back to the old kernel, but the error persists. Do you have an hint ? Thank you Joan Actually, the complete log error is the following: 2013-04-17T09:17:14.283129+02:00 server postfix/smtpd[16725]: initializing the server-side TLS engine 2013-04-17T09:17:14.383298+02:00 server postfix/smtpd[16725]: connect from wana-25-254-12-196.wanamaroc.com[196.12.254.25] 2013-04-17T09:17:14.383313+02:00 server postfix/smtpd[16725]: setting up TLS connection from wana-25-254-12-196.wanamaroc.com[196.12.254.25] 2013-04-17T09:17:14.383382+02:00 server postfix/smtpd[16725]: wana-25-254-12-196.wanamaroc.com[196.12.254.25]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH" 2013-04-17T09:17:14.383617+02:00 server postfix/smtpd[16725]: SSL_accept:before/accept initialization 2013-04-17T09:17:14.383702+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 read client hello A 2013-04-17T09:17:14.383710+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 write server hello A 2013-04-17T09:17:14.383712+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 write certificate A 2013-04-17T09:17:14.385694+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 write key exchange A 2013-04-17T09:17:14.385710+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 write server done A 2013-04-17T09:17:14.385720+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 flush data 2013-04-17T09:17:36.573635+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 read client key exchange A 2013-04-17T09:17:36.573659+02:00 server postfix/smtpd[16725]: SSL_accept:error in SSLv3 read certificate verify A 2013-04-17T09:17:36.573665+02:00 server postfix/smtpd[16725]: SSL_accept error from wana-25-254-12-196.wanamaroc.com[196.12.254.25]: -1 2013-04-17T09:17:36.573670+02:00 server postfix/smtpd[16725]: warning: TLS library problem: 16725:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]: warning: TLS library problem: 16725:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597: 2013-04-17T09:17:36.573971+02:00 server postfix/smtpd[16725]: lost connection after CONNECT from wana-25-254-12-196.wanamaroc.com[196.12.254.25] Can you help ? Thank you __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL / SMTP
Hi, Since I upgraded my kernel (and rebuilt openssl), I get the following errors in Postfix: 2013-04-15T13:55:29.921960+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-15T13:55:29.921966+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597: while the postfix system has worked since ages. I went back to the old kernel, but the error persists. Do you have an hint ? Thank you Joan
Re: howto? SSL+SMTP+IMAP+POP3
Hi Olaf et Al. Use this command line with your settings. It should work since in my LX box it works with Netscape/OutLook! openssl pkcs12 -export -inkey hostKey.pem \ -in hostCert.pem -name "soggy" \ -certfile caCert.pem -caname "Root CA" \ -out hostCert.p12 Then import your personal cert in Netscape/Outlook. After that your and Root-Cert will be in. Please give me a feed-back. Enjoy! Olaf Zaplinski wrote: > > Hi all, > > this is what I did: > > # openssl genrsa -des3 -out ca.key > # openssl req -key ca.key -nodes -new -out ca.req > # openssl x509 -days 1000 -in ca.req -req -signkey ca.key -out ca.pem > > moved ca.pem to demoCA/cacert.pem and ca.key to demoCA/private/cakey.pem > > Then: > > # openssl ca -cert demoCA/cacert.pem -ss_cert demoCA/cacert.pem -out ca.pem > Using configuration from /usr/local/ssl/openssl.cnf > Enter PEM pass phrase: > Check that the request matches the signature > Signature ok > The Subjects Distinguished Name is as follows > countryName :PRINTABLE:'DE' > stateOrProvinceName :PRINTABLE:'Hamburg' > localityName :PRINTABLE:'Hamburg' > organizationName :PRINTABLE:'zaplinski.de certificate services' > commonName:PRINTABLE:'zaplinski.de root CA' > emailAddress :IA5STRING:'[EMAIL PROTECTED]' > Certificate is to be certified until Aug 27 21:18:49 2002 GMT (365 days) > Sign the certificate? [y/n]:y > > 1 out of 1 certificate requests certified, commit? [y/n]y > Write out database with 1 new entries > Data Base Updated > > # mv ca.pem demoCA/cacert.pem > > So I now have my self signed CA. > > But how can I import that in IE and NS? I could not find any information on > the web. 'openssl pkcs7 -i demoCA/cacert.pem -outform DER -out ca.p7b' did > not work, and AFAIK MS IE5 only eats pkcs7 files. But, even if I show it > pkcs7, it continues to say the file format isn't recognized. > > I even had an own little CA and a CA signed cert for SSL'ed POP3 and SMTP, > but after importing that cert to Netscape it did not know anything about my > CA. MS IE5 refused to import that. So I deleted everything and started all > over. > > Is there any HOWTO/FAQ how to > > - build an own CA > - import that CA into Netscape/IE > - build a server cert signed by that CA *not* to be used by apache but > mailer apps > - also import that into Netscape/IE? > > I could not find any information on the web. > > Any hints welcome! > > Olaf > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- # Averroes A. Aysha # Think Linux, Think Slackware! # Network Security Auditor (NSA) # e-fingerprint = 73B7 2559 2968 5094 3B95 5C70 4E85 5F94 6068 1DD8 # http://www.keyserver.net/en/ # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- S/MIME Cryptographic Signature
howto? SSL+SMTP+IMAP+POP3
Hi all, this is what I did: # openssl genrsa -des3 -out ca.key # openssl req -key ca.key -nodes -new -out ca.req # openssl x509 -days 1000 -in ca.req -req -signkey ca.key -out ca.pem moved ca.pem to demoCA/cacert.pem and ca.key to demoCA/private/cakey.pem Then: # openssl ca -cert demoCA/cacert.pem -ss_cert demoCA/cacert.pem -out ca.pem Using configuration from /usr/local/ssl/openssl.cnf Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Hamburg' localityName :PRINTABLE:'Hamburg' organizationName :PRINTABLE:'zaplinski.de certificate services' commonName:PRINTABLE:'zaplinski.de root CA' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until Aug 27 21:18:49 2002 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated # mv ca.pem demoCA/cacert.pem So I now have my self signed CA. But how can I import that in IE and NS? I could not find any information on the web. 'openssl pkcs7 -i demoCA/cacert.pem -outform DER -out ca.p7b' did not work, and AFAIK MS IE5 only eats pkcs7 files. But, even if I show it pkcs7, it continues to say the file format isn't recognized. I even had an own little CA and a CA signed cert for SSL'ed POP3 and SMTP, but after importing that cert to Netscape it did not know anything about my CA. MS IE5 refused to import that. So I deleted everything and started all over. Is there any HOWTO/FAQ how to - build an own CA - import that CA into Netscape/IE - build a server cert signed by that CA *not* to be used by apache but mailer apps - also import that into Netscape/IE? I could not find any information on the web. Any hints welcome! Olaf __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]