[openssl-users] Same library usage for DTLS on SCTP and UDP
Hi, We are using openssl library for UDP and SCTP connections. The library is compiled with "sctp" option. But when it is used for DTLS on UDP the connection hangs at SSL_accept. When we remove the sctp option in compilation, the call for DTLS on UDP goes fine. Do we have any additional option to configure the library for build so that it supports both UDP and SCTP connections without any issue? Thanks, Grace -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] alert number 46:
> On Nov 13, 2017, at 12:35 AM, Simon Matthews> wrote: > > I installed letsencrypt and generated a certificate. > > Even with this certificate, I got the same error. The error went away > when I changed the connection to "TLS" from "TLS (Accept All > Certificates)". > > I wonder if the root problem was that the mail app on my phone won't > accept newer certificates unless it can validate them fully? Your phone is not using OpenSSL. So sadly, this is not the right forum for this question. Ask on the appropriate Android, iOS etc. forum. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] alert number 46:
I installed letsencrypt and generated a certificate. Even with this certificate, I got the same error. The error went away when I changed the connection to "TLS" from "TLS (Accept All Certificates)". I wonder if the root problem was that the mail app on my phone won't accept newer certificates unless it can validate them fully? Simon On Sun, Nov 12, 2017 at 2:28 PM, Kyle Hamiltonwrote: > Use a publicly-trusted certification authority, such as Let's Encrypt. > The problem is from the remote side (it's sending the alert that it > does not recognize your certificate issuer). > > -Kyle H > > On Sun, Nov 12, 2017 at 7:47 AM, Simon Matthews > wrote: >> On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijser wrote: >>> Hi, >>> >>> On 12/11/17 05:39, Simon Matthews wrote: I have generated a new certificate for my CentOS 6/postfix server, and it seems to work with most clients, but when I try to send email using tls from my Android device, it always fails. In my postfix log, I see: warning: TLS library problem: 13671:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1275:SSL alert number 46: I get the same message when using the same new certificate with dovecot, so I don't think it is a postfix issue. To generate the certificate, I used the following commands: openssl genrsa -out MatthewsCA2017.key 2048 openssl genrsa -des3 -out MatthewsCA2017.key 2048 openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days 3000 -out MatthewsCA2017.pem openssl genrsa -out smtp.matthews-family.org.uk.key 2048 openssl req -new -key smtp.matthews-family.org.uk.key -out smtp.matthews-family.org.uk.csr openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out smtp.matthews-family.org.uk.crt -days 3000 -sha256 Any ideas on what might be wrong? >>> >>> you seem to have generated your own (new) CA and server certificate; is this >>> CA (public) cert installed in postfix correctly. More importantly, is this >>> new CA distributed to all devices? >>> An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN >> >> In my Android device, I am using the option "TLS (Accept all >> certificates)" which was working with my prior certificate. I built a >> new CA and certificate because Microsoft/Hotmail would not send email >> to my server because of the use of MD5 in the certificate chain. >> >> In the postfix main.cf, I have: >> smtpd_tls_CAfile = /etc/ssl/MatthewsCA2017.pem >> >> The file exists: >> # ls /etc/ssl/MatthewsCA2017.pem >> /etc/ssl/MatthewsCA2017.pem >> >> This is CentOS 6 VM. >> >> Is there anything else I should do to install the certificates? I >> notice that the dovecot configuration doesn't explicitly define the CA >> certificate location, so perhaps I have missed something? >> >> Simon >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] alert number 46:
Use a publicly-trusted certification authority, such as Let's Encrypt. The problem is from the remote side (it's sending the alert that it does not recognize your certificate issuer). -Kyle H On Sun, Nov 12, 2017 at 7:47 AM, Simon Matthewswrote: > On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijser wrote: >> Hi, >> >> On 12/11/17 05:39, Simon Matthews wrote: >>> >>> I have generated a new certificate for my CentOS 6/postfix server, and >>> it seems to work with most clients, but when I try to send email using >>> tls from my Android device, it always fails. >>> >>> In my postfix log, I see: >>> >>> warning: TLS library problem: 13671:error:14094416:SSL >>> routines:SSL3_READ_BYTES:sslv3 alert certificate >>> unknown:s3_pkt.c:1275:SSL alert number 46: >>> >>> I get the same message when using the same new certificate with >>> dovecot, so I don't think it is a postfix issue. >>> >>> To generate the certificate, I used the following commands: >>> >>> openssl genrsa -out MatthewsCA2017.key 2048 >>> openssl genrsa -des3 -out MatthewsCA2017.key 2048 >>> openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days >>> 3000 -out MatthewsCA2017.pem >>> openssl genrsa -out smtp.matthews-family.org.uk.key 2048 >>> openssl req -new -key smtp.matthews-family.org.uk.key -out >>> smtp.matthews-family.org.uk.csr >>> openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA >>> MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out >>> smtp.matthews-family.org.uk.crt -days 3000 -sha256 >>> >>> Any ideas on what might be wrong? >>> >> >> you seem to have generated your own (new) CA and server certificate; is this >> CA (public) cert installed in postfix correctly. More importantly, is this >> new CA distributed to all devices? >> An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN > > In my Android device, I am using the option "TLS (Accept all > certificates)" which was working with my prior certificate. I built a > new CA and certificate because Microsoft/Hotmail would not send email > to my server because of the use of MD5 in the certificate chain. > > In the postfix main.cf, I have: > smtpd_tls_CAfile = /etc/ssl/MatthewsCA2017.pem > > The file exists: > # ls /etc/ssl/MatthewsCA2017.pem > /etc/ssl/MatthewsCA2017.pem > > This is CentOS 6 VM. > > Is there anything else I should do to install the certificates? I > notice that the dovecot configuration doesn't explicitly define the CA > certificate location, so perhaps I have missed something? > > Simon > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate expired on https://mta.openssl.org/
Thanks for the notification. There are new certificates, but I forgot to update the apache config on mta accordingly. Fixed now. Cheers, Richard In messageon Sun, 12 Nov 2017 13:17:58 -0800, Simon Matthews said: simon.d.matthews> Richard, simon.d.matthews> Please see the subject. simon.d.matthews> simon.d.matthews> Simon simon.d.matthews> simon.d.matthews> -- Forwarded message -- simon.d.matthews> From: Jeffrey Walton simon.d.matthews> Date: Sun, Nov 12, 2017 at 1:10 PM simon.d.matthews> Subject: Re: [openssl-users] Certificate expired on https://mta.openssl.org/ simon.d.matthews> To: simon.d.matth...@gmail.com simon.d.matthews> simon.d.matthews> simon.d.matthews> On Sun, Nov 12, 2017 at 4:03 PM, Simon Matthews simon.d.matthews> wrote: simon.d.matthews> > I am getting a certificate expired error on the above URL. simon.d.matthews> simon.d.matthews> You might want to contact Richard Levitte at levi...@openssl.org. I simon.d.matthews> think he handles most OpenSSL infrastructure. simon.d.matthews> simon.d.matthews> Jeff simon.d.matthews> -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Certificate expired on https://mta.openssl.org/
I am getting a certificate expired error on the above URL. Simon -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] alert number 46:
On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijserwrote: > Hi, > > On 12/11/17 05:39, Simon Matthews wrote: >> >> I have generated a new certificate for my CentOS 6/postfix server, and >> it seems to work with most clients, but when I try to send email using >> tls from my Android device, it always fails. >> >> In my postfix log, I see: >> >> warning: TLS library problem: 13671:error:14094416:SSL >> routines:SSL3_READ_BYTES:sslv3 alert certificate >> unknown:s3_pkt.c:1275:SSL alert number 46: >> >> I get the same message when using the same new certificate with >> dovecot, so I don't think it is a postfix issue. >> >> To generate the certificate, I used the following commands: >> >> openssl genrsa -out MatthewsCA2017.key 2048 >> openssl genrsa -des3 -out MatthewsCA2017.key 2048 >> openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days >> 3000 -out MatthewsCA2017.pem >> openssl genrsa -out smtp.matthews-family.org.uk.key 2048 >> openssl req -new -key smtp.matthews-family.org.uk.key -out >> smtp.matthews-family.org.uk.csr >> openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA >> MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out >> smtp.matthews-family.org.uk.crt -days 3000 -sha256 >> >> Any ideas on what might be wrong? >> > > you seem to have generated your own (new) CA and server certificate; is this > CA (public) cert installed in postfix correctly. More importantly, is this > new CA distributed to all devices? > An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN In my Android device, I am using the option "TLS (Accept all certificates)" which was working with my prior certificate. I built a new CA and certificate because Microsoft/Hotmail would not send email to my server because of the use of MD5 in the certificate chain. In the postfix main.cf, I have: smtpd_tls_CAfile = /etc/ssl/MatthewsCA2017.pem The file exists: # ls /etc/ssl/MatthewsCA2017.pem /etc/ssl/MatthewsCA2017.pem This is CentOS 6 VM. Is there anything else I should do to install the certificates? I notice that the dovecot configuration doesn't explicitly define the CA certificate location, so perhaps I have missed something? Simon -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] alert number 46:
Hi, On 12/11/17 05:39, Simon Matthews wrote: I have generated a new certificate for my CentOS 6/postfix server, and it seems to work with most clients, but when I try to send email using tls from my Android device, it always fails. In my postfix log, I see: warning: TLS library problem: 13671:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1275:SSL alert number 46: I get the same message when using the same new certificate with dovecot, so I don't think it is a postfix issue. To generate the certificate, I used the following commands: openssl genrsa -out MatthewsCA2017.key 2048 openssl genrsa -des3 -out MatthewsCA2017.key 2048 openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days 3000 -out MatthewsCA2017.pem openssl genrsa -out smtp.matthews-family.org.uk.key 2048 openssl req -new -key smtp.matthews-family.org.uk.key -out smtp.matthews-family.org.uk.csr openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out smtp.matthews-family.org.uk.crt -days 3000 -sha256 Any ideas on what might be wrong? you seem to have generated your own (new) CA and server certificate; is this CA (public) cert installed in postfix correctly. More importantly, is this new CA distributed to all devices? An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN HTH, JJK -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users