Bug#902716: Acknowledgement (reportbug.debian.org has invalid certificate)

2018-07-02 Thread Sandro Tosi 
Hey Don,

> $  openssl s_client  --starttls smtp -connect reportbug.debian.org:587
> CONNECTED(0003)
> depth=0 C = NA, ST = NA, L = Ankh Morpork, O = Debian SMTP, OU = Debian SMTP 
> CA, CN = buxtehude.debian.org, emailAddress = hostmas...@buxtehude.debian.org
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = NA, ST = NA, L = Ankh Morpork, O = Debian SMTP, OU = Debian SMTP 
> CA, CN = buxtehude.debian.org, emailAddress = hostmas...@buxtehude.debian.org
> verify error:num=21:unable to verify the first certificate
> verify return:1

so it looks like it's a self-issued local certificate? reportbug.d.o
advertises STARTTLS in its options

morph@zion:~/deb/reportbug$ telnet reportbug.debian.org 587
Trying 2607:f8f0:614:1::1274:39...
Connected to buxtehude.debian.org.
Escape character is '^]'.
he220 buxtehude.debian.org ESMTP Exim 4.89 Tue, 03 Jul 2018 01:12:00 +
ehlo sandrotosi.me
250-buxtehude.debian.org Hello sandrotosi.me
[2604:2000:e902:f100:a2d0:6b79:bba:e2b5]
250-SIZE 104857600
250-8BITMIME
250-STARTTLS
250 HELP

but i'm not sure how it could work if the client cant verify the certs chain.

-- 
Sandro "morph" Tosi
My website: http://sandrotosi.me/
Me at Debian: http://wiki.debian.org/SandroTosi
G+: https://plus.google.com/u/0/+SandroTosi

Bug#902716: Acknowledgement (reportbug.debian.org has invalid certificate)

2018-07-02 Thread Brian Minton 
​

$  openssl s_client  --starttls smtp -connect reportbug.debian.org:587
CONNECTED(0003)
depth=0 C = NA, ST = NA, L = Ankh Morpork, O = Debian SMTP, OU =
Debian SMTP CA, CN = buxtehude.debian.org, emailAddress =
hostmas...@buxtehude.debian.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = NA, ST = NA, L = Ankh Morpork, O = Debian SMTP, OU =
Debian SMTP CA, CN = buxtehude.debian.org, emailAddress =
hostmas...@buxtehude.debian.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=NA/ST=NA/L=Ankh Morpork/O=Debian SMTP/OU=Debian SMTP
CA/CN=buxtehude.debian.org/emailAddress=hostmas...@buxtehude.debian.org
   i:/C=NA/ST=NA/L=Ankh Morpork/O=Debian SMTP/OU=Debian SMTP
CA/CN=Debian SMTP CA/emailAddress=hostmas...@puppet.debian.org
---
Server certificate
-BEGIN CERTIFICATE-
MIIFOjCCBCKgAwIBAgICDvwwDQYJKoZIhvcNAQEFBQAwgaYxCzAJBgNVBAYTAk5B
MQswCQYDVQQIEwJOQTEVMBMGA1UEBxMMQW5raCBNb3Jwb3JrMRQwEgYDVQQKEwtE
ZWJpYW4gU01UUDEXMBUGA1UECxMORGViaWFuIFNNVFAgQ0ExFzAVBgNVBAMTDkRl
YmlhbiBTTVRQIENBMSswKQYJKoZIhvcNAQkBFhxob3N0bWFzdGVyQHB1cHBldC5k
ZWJpYW4ub3JnMB4XDTE3MTIxMjAwMDAxMVoXDTE4MTIxMjAwMDAxMVowga8xCzAJ
BgNVBAYTAk5BMQswCQYDVQQIEwJOQTEVMBMGA1UEBxMMQW5raCBNb3Jwb3JrMRQw
EgYDVQQKEwtEZWJpYW4gU01UUDEXMBUGA1UECxMORGViaWFuIFNNVFAgQ0ExHTAb
BgNVBAMTFGJ1eHRlaHVkZS5kZWJpYW4ub3JnMS4wLAYJKoZIhvcNAQkBFh9ob3N0
bWFzdGVyQGJ1eHRlaHVkZS5kZWJpYW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAovy58Ske6mkx4bSCaS34lJ4FCorDU6H6oNEWlgNVTzH1xYA5
3wvMScSqvbRYPK8B0VSPD5/G+4dfj9XBGbHdHsS7nWHutrwyNUL6cTl2CBvUwAzP
EQj5d3JLL0aa8VLZshH3BTKBuWx8TR983zDTb6+yKivvr1HcqSyeqeAZ3H3w4sb1
4SIXUDn65hoyoODgEWZWt8Xs8PTk1T37evp5QnabdX91bmN6UIkRPzJWuVNTPKtY
xMVhIlHmhS+btvI7s8DI2XwOTMt5kLUq58XWr1OmIqpOBjASLn6ExChh1eXnPtcf
vhzoFLKd8L+MVAb21qf1tkMn3ZeYls2345TcaQIDAQABo4IBZTCCAWEwCQYDVR0T
BAIwADARBglghkgBhvhCAQEEBAMCBkAwIgYJYIZIAYb4QgENBBUWE0RlYmlhbiBT
TVRQIENBIGNlcnQwHQYDVR0OBBYEFOCPtMQWehUMfn1FDZ4RoyDKg838MIHbBgNV
HSMEgdMwgdCAFF9qbFIB0eabRXjptXlBG7eAytjGoYGspIGpMIGmMQswCQYDVQQG
EwJOQTELMAkGA1UECBMCTkExFTATBgNVBAcTDEFua2ggTW9ycG9yazEUMBIGA1UE
ChMLRGViaWFuIFNNVFAxFzAVBgNVBAsTDkRlYmlhbiBTTVRQIENBMRcwFQYDVQQD
Ew5EZWJpYW4gU01UUCBDQTErMCkGCSqGSIb3DQEJARYcaG9zdG1hc3RlckBwdXBw
ZXQuZGViaWFuLm9yZ4IJAPYIE0pJ99rTMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsG
A1UdDwQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAolkEmpsPbJ7uu6noZ0uEZMI2
LnJTEJtFdXxcNFGLmC5XswksXD819v3ZvETVET52tRDD151avY2FqBrqamwEtyVp
1AnGfbmjhPFmjDlJfEtTb5/5s8Rmk75ySYdF/bMnufGb2IedbFdx5/rlNXl7ZQK/
/Nm7sI8MtsNpcdOBg6Sr9efrmk0BUUUrxMPxGhTsegEwYddgdKVqBiQiw6oot1bk
vH5/mVkxtUJmUrdSNoPlVnOWitUJqCXARqA8VA3zOvoOZJ7HMq2M/zPDn72NBJrx
WFX4EkUqvwzloM7JDJ7aH1/xG2+Bgr0JMQ9X4VOE8fdY43gWC/GdrRY1iFhb5g==
-END CERTIFICATE-
subject=/C=NA/ST=NA/L=Ankh Morpork/O=Debian SMTP/OU=Debian SMTP
CA/CN=buxtehude.debian.org/emailAddress=hostmas...@buxtehude.debian.org
issuer=/C=NA/ST=NA/L=Ankh Morpork/O=Debian SMTP/OU=Debian SMTP
CA/CN=Debian SMTP CA/emailAddress=hostmas...@puppet.debian.org
---
Acceptable client certificate CA names
/C=NA/ST=NA/L=Ankh Morpork/O=Debian SMTP/OU=Debian SMTP CA/CN=Debian
SMTP CA/emailAddress=hostmas...@puppet.debian.org
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms:
RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA224:ECDSA+SHA224:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms:
RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA224:ECDSA+SHA224:RSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2282 bytes and written 347 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7E3BBFDAE6C0616D76239C40803DB81092DCA2E86842377C3A122A649F47D189
Session-ID-ctx:
Master-Key:
2E1E1A68F43A38EDE8A4B67E82BA3C63D1551E6CF5F78F3F81F8F705418F7B7FF4A223088DF687D219CE12B283FEE0F9
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1530560544
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes
---
250 HELP
quit
221 buxtehude.debian.org closing connection
closed