date:20171112

[openssl-users] Same library usage for DTLS on SCTP and UDP

2017-11-12 Thread Grace Priscilla Jero

Hi,

We are using openssl library for UDP and SCTP connections. The library is
compiled with "sctp" option. But when it is used for DTLS on UDP the
connection hangs at SSL_accept.

When we remove the sctp option in compilation, the call for DTLS on UDP
goes fine. Do we have any additional option to configure the library for
build so that it supports both UDP and SCTP connections without any issue?

Thanks,
Grace
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] alert number 46:

2017-11-12 Thread Viktor Dukhovni



> On Nov 13, 2017, at 12:35 AM, Simon Matthews  
> wrote:
> 
> I installed letsencrypt  and generated a certificate.
> 
> Even with this certificate, I got the same error. The error went away
> when I changed the connection to "TLS" from "TLS (Accept All
> Certificates)".
> 
> I wonder if the root problem was that the mail app on my phone won't
> accept newer certificates unless it can validate them fully?

Your phone is not using OpenSSL.  So sadly, this is not the right forum
for this question.  Ask on the appropriate Android, iOS etc. forum.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] alert number 46:

2017-11-12 Thread Simon Matthews

I installed letsencrypt  and generated a certificate.

Even with this certificate, I got the same error. The error went away
when I changed the connection to "TLS" from "TLS (Accept All
Certificates)".

I wonder if the root problem was that the mail app on my phone won't
accept newer certificates unless it can validate them fully?

Simon


On Sun, Nov 12, 2017 at 2:28 PM, Kyle Hamilton  wrote:
> Use a publicly-trusted certification authority, such as Let's Encrypt.
> The problem is from the remote side (it's sending the alert that it
> does not recognize your certificate issuer).
>
> -Kyle H
>
> On Sun, Nov 12, 2017 at 7:47 AM, Simon Matthews
>  wrote:
>> On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijser  wrote:
>>> Hi,
>>>
>>> On 12/11/17 05:39, Simon Matthews wrote:

 I have generated a new certificate for my CentOS 6/postfix server, and
 it seems to work with most clients, but when I try to send email using
 tls from my Android device, it always fails.

 In my postfix log, I see:

 warning: TLS library problem: 13671:error:14094416:SSL
 routines:SSL3_READ_BYTES:sslv3 alert certificate
 unknown:s3_pkt.c:1275:SSL alert number 46:

 I get the same message when using the same new certificate with
 dovecot, so I don't think it is a postfix issue.

 To generate the certificate, I used the following commands:

 openssl genrsa -out MatthewsCA2017.key 2048
 openssl genrsa -des3 -out MatthewsCA2017.key 2048
 openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days
 3000 -out MatthewsCA2017.pem
 openssl genrsa -out smtp.matthews-family.org.uk.key 2048
 openssl req -new -key smtp.matthews-family.org.uk.key -out
 smtp.matthews-family.org.uk.csr
 openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA
 MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out
 smtp.matthews-family.org.uk.crt -days 3000 -sha256

 Any ideas on what might be wrong?

>>>
>>> you seem to have generated your own (new) CA and server certificate; is this
>>> CA (public) cert installed in postfix correctly. More importantly, is this
>>> new CA distributed to all devices?
>>> An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN
>>
>> In my Android device, I am using the option "TLS (Accept all
>> certificates)" which was working with my prior certificate. I built a
>> new CA and certificate because Microsoft/Hotmail would not send email
>> to my server because of the use of MD5 in the certificate chain.
>>
>> In the postfix main.cf, I have:
>> smtpd_tls_CAfile =  /etc/ssl/MatthewsCA2017.pem
>>
>> The file exists:
>> # ls /etc/ssl/MatthewsCA2017.pem
>> /etc/ssl/MatthewsCA2017.pem
>>
>> This is CentOS 6 VM.
>>
>> Is there anything else I should do to install the certificates? I
>> notice that the dovecot configuration doesn't explicitly define the CA
>> certificate location, so perhaps I have missed something?
>>
>> Simon
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] alert number 46:

2017-11-12 Thread Kyle Hamilton

Use a publicly-trusted certification authority, such as Let's Encrypt.
The problem is from the remote side (it's sending the alert that it
does not recognize your certificate issuer).

-Kyle H

On Sun, Nov 12, 2017 at 7:47 AM, Simon Matthews
 wrote:
> On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijser  wrote:
>> Hi,
>>
>> On 12/11/17 05:39, Simon Matthews wrote:
>>>
>>> I have generated a new certificate for my CentOS 6/postfix server, and
>>> it seems to work with most clients, but when I try to send email using
>>> tls from my Android device, it always fails.
>>>
>>> In my postfix log, I see:
>>>
>>> warning: TLS library problem: 13671:error:14094416:SSL
>>> routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown:s3_pkt.c:1275:SSL alert number 46:
>>>
>>> I get the same message when using the same new certificate with
>>> dovecot, so I don't think it is a postfix issue.
>>>
>>> To generate the certificate, I used the following commands:
>>>
>>> openssl genrsa -out MatthewsCA2017.key 2048
>>> openssl genrsa -des3 -out MatthewsCA2017.key 2048
>>> openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days
>>> 3000 -out MatthewsCA2017.pem
>>> openssl genrsa -out smtp.matthews-family.org.uk.key 2048
>>> openssl req -new -key smtp.matthews-family.org.uk.key -out
>>> smtp.matthews-family.org.uk.csr
>>> openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA
>>> MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out
>>> smtp.matthews-family.org.uk.crt -days 3000 -sha256
>>>
>>> Any ideas on what might be wrong?
>>>
>>
>> you seem to have generated your own (new) CA and server certificate; is this
>> CA (public) cert installed in postfix correctly. More importantly, is this
>> new CA distributed to all devices?
>> An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN
>
> In my Android device, I am using the option "TLS (Accept all
> certificates)" which was working with my prior certificate. I built a
> new CA and certificate because Microsoft/Hotmail would not send email
> to my server because of the use of MD5 in the certificate chain.
>
> In the postfix main.cf, I have:
> smtpd_tls_CAfile =  /etc/ssl/MatthewsCA2017.pem
>
> The file exists:
> # ls /etc/ssl/MatthewsCA2017.pem
> /etc/ssl/MatthewsCA2017.pem
>
> This is CentOS 6 VM.
>
> Is there anything else I should do to install the certificates? I
> notice that the dovecot configuration doesn't explicitly define the CA
> certificate location, so perhaps I have missed something?
>
> Simon
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate expired on https://mta.openssl.org/

2017-11-12 Thread Richard Levitte

Thanks for the notification.  There are new certificates, but I forgot
to update the apache config on mta accordingly.  Fixed now.

Cheers,
Richard

In message  
on Sun, 12 Nov 2017 13:17:58 -0800, Simon Matthews  
said:

simon.d.matthews> Richard,
simon.d.matthews> Please see the subject.
simon.d.matthews> 
simon.d.matthews> Simon
simon.d.matthews> 
simon.d.matthews> -- Forwarded message --
simon.d.matthews> From: Jeffrey Walton 
simon.d.matthews> Date: Sun, Nov 12, 2017 at 1:10 PM
simon.d.matthews> Subject: Re: [openssl-users] Certificate expired on 
https://mta.openssl.org/
simon.d.matthews> To: simon.d.matth...@gmail.com
simon.d.matthews> 
simon.d.matthews> 
simon.d.matthews> On Sun, Nov 12, 2017 at 4:03 PM, Simon Matthews
simon.d.matthews>  wrote:
simon.d.matthews> > I am getting a certificate expired error on the above URL.
simon.d.matthews> 
simon.d.matthews> You might want to contact Richard Levitte at 
levi...@openssl.org. I
simon.d.matthews> think he handles most OpenSSL infrastructure.
simon.d.matthews> 
simon.d.matthews> Jeff
simon.d.matthews> 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Certificate expired on https://mta.openssl.org/

2017-11-12 Thread Simon Matthews

I am getting a certificate expired error on the above URL.

Simon
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] alert number 46:

2017-11-12 Thread Simon Matthews

On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijser  wrote:
> Hi,
>
> On 12/11/17 05:39, Simon Matthews wrote:
>>
>> I have generated a new certificate for my CentOS 6/postfix server, and
>> it seems to work with most clients, but when I try to send email using
>> tls from my Android device, it always fails.
>>
>> In my postfix log, I see:
>>
>> warning: TLS library problem: 13671:error:14094416:SSL
>> routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown:s3_pkt.c:1275:SSL alert number 46:
>>
>> I get the same message when using the same new certificate with
>> dovecot, so I don't think it is a postfix issue.
>>
>> To generate the certificate, I used the following commands:
>>
>> openssl genrsa -out MatthewsCA2017.key 2048
>> openssl genrsa -des3 -out MatthewsCA2017.key 2048
>> openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days
>> 3000 -out MatthewsCA2017.pem
>> openssl genrsa -out smtp.matthews-family.org.uk.key 2048
>> openssl req -new -key smtp.matthews-family.org.uk.key -out
>> smtp.matthews-family.org.uk.csr
>> openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA
>> MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out
>> smtp.matthews-family.org.uk.crt -days 3000 -sha256
>>
>> Any ideas on what might be wrong?
>>
>
> you seem to have generated your own (new) CA and server certificate; is this
> CA (public) cert installed in postfix correctly. More importantly, is this
> new CA distributed to all devices?
> An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN

In my Android device, I am using the option "TLS (Accept all
certificates)" which was working with my prior certificate. I built a
new CA and certificate because Microsoft/Hotmail would not send email
to my server because of the use of MD5 in the certificate chain.

In the postfix main.cf, I have:
smtpd_tls_CAfile =  /etc/ssl/MatthewsCA2017.pem

The file exists:
# ls /etc/ssl/MatthewsCA2017.pem
/etc/ssl/MatthewsCA2017.pem

This is CentOS 6 VM.

Is there anything else I should do to install the certificates? I
notice that the dovecot configuration doesn't explicitly define the CA
certificate location, so perhaps I have missed something?

Simon
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] alert number 46:

2017-11-12 Thread Jan Just Keijser


Hi,

On 12/11/17 05:39, Simon Matthews wrote:

I have generated a new certificate for my CentOS 6/postfix server, and
it seems to work with most clients, but when I try to send email using
tls from my Android device, it always fails.

In my postfix log, I see:

warning: TLS library problem: 13671:error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown:s3_pkt.c:1275:SSL alert number 46:

I get the same message when using the same new certificate with
dovecot, so I don't think it is a postfix issue.

To generate the certificate, I used the following commands:

openssl genrsa -out MatthewsCA2017.key 2048
openssl genrsa -des3 -out MatthewsCA2017.key 2048
openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days
3000 -out MatthewsCA2017.pem
openssl genrsa -out smtp.matthews-family.org.uk.key 2048
openssl req -new -key smtp.matthews-family.org.uk.key -out
smtp.matthews-family.org.uk.csr
openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA
MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out
smtp.matthews-family.org.uk.crt -days 3000 -sha256

Any ideas on what might be wrong?



you seem to have generated your own (new) CA and server certificate; is 
this CA (public) cert installed in postfix correctly. More importantly, 
is this new CA distributed to all devices?

An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN

HTH,

JJK

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Same library usage for DTLS on SCTP and UDP

Re: [openssl-users] alert number 46:

Re: [openssl-users] alert number 46:

Re: [openssl-users] alert number 46:

Re: [openssl-users] Certificate expired on https://mta.openssl.org/

[openssl-users] Certificate expired on https://mta.openssl.org/

Re: [openssl-users] alert number 46:

Re: [openssl-users] alert number 46:

8 matches

Site Navigation

Mail list logo

Footer information