Bug#648285: marked as done (fails to verify client certificates)

Tue, 28 Feb 2017 04:51:53 -0800 

Your message dated Tue, 28 Feb 2017 14:49:04 +0200
with message-id <20170228124904.uqhntn5njjquml25@localhost>
and subject line Closing lenny-only bugs
has caused the Debian Bug report #648285,
regarding fails to verify client certificates
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
648285: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648285
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: openssl
Version: 0.9.8g-15+lenny14
Severity: important
Tags: lenny

Following yesterday's OpenSSL upgrade to …+lenny14, my TLS SMTP
clients running Sid can no longer submit e-mail to a Postfix
instance running on lenny, while being authenticated with their
client certificate.

For instance, with gnutls-cli, I get:

  % sudo gnutls-cli -s --x509cafile /etc/ssl/certs/cacert.org.pem
    --x509keyfile /etc/ssl/private/albatross.gern.madduck.net.pem
    --x509certfile /etc/ssl/certs/albatross.gern.madduck.net.pem
    -p 587 a.mx.madduck.net

  Processed 2 CA certificate(s).
  Processed 1 client certificates...
  Processed 1 client X.509 certificates...
  Resolving 'a.mx.madduck.net'...
  Connecting to '2001:470:9aad::1:587'...

  - Simple Client Mode:

  220 seamus.madduck.net ESMTP "welcome to the machine..."
  ehlo myhost
  250-seamus.madduck.net
  250-PIPELINING
  250-SIZE 26214400
  250-ETRN
  250-STARTTLS
  250-ENHANCEDSTATUSCODES
  250-8BITMIME
  250 DSN
  starttls
  220 2.0.0 Ready to start TLS
  *** Starting TLS handshake
  *** Verifying server certificate failed...
  *** Fatal error: Error in the certificate.
  *** Handshake has failed

A debug run with OpenSSL s_client is also attached.

On the server side, I see this (full debug with loglevel 5 attached):

  postfix/smtpd[14130]: setting up TLS connection from 
albatross.gern.madduck.net[2001:a60:f0fb:0:22cf:30ff:fe2a:7c07]
  postfix/smtpd[14130]: 
albatross.gern.madduck.net[2001:a60:f0fb:0:22cf:30ff:fe2a:7c07]: TLS cipher 
list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL"
  postfix/smtpd[14130]: SSL_accept:before/accept initialization
  postfix/smtpd[14130]: SSL_accept:SSLv3 read client hello B
  postfix/smtpd[14130]: SSL_accept:SSLv3 write server hello A
  postfix/smtpd[14130]: SSL_accept:SSLv3 write certificate A
  postfix/smtpd[14130]: SSL_accept:SSLv3 write key exchange A
  postfix/smtpd[14130]: SSL_accept:SSLv3 write certificate request A
  postfix/smtpd[14130]: SSL_accept:SSLv3 flush data
  postfix/smtpd[14130]: SSL3 alert read:fatal:bad certificate
  postfix/smtpd[14130]: SSL_accept:failed in SSLv3 read client certificate A
  postfix/smtpd[14130]: SSL_accept error from 
albatross.gern.madduck.net[2001:a60:f0fb:0:22cf:30ff:fe2a:7c07]: 0
  postfix/smtpd[14130]: warning: TLS library problem: 14130:error:14094412:SSL 
routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1086:SSL alert 
number 42:
  postfix/smtpd[14130]: lost connection after STARTTLS from 
albatross.gern.madduck.net[2001:a60:f0fb:0:22cf:30ff:fe2a:7c07]

SASL submission, anonymous STARTTLS, and cert-auth from Squeeze
clients continue to work.

I am a bit unsure, where the source of the problem lies. Okay,
that's wrong — I have no idea and this baffles me. Since it /feels/
to me like this started right after the SSL upgrade on the Postfix
server, I am reporting it here.

Thanks,

-- 
 .''`.   martin f. krafft <[email protected]>      Related projects:
: :'  :  proud Debian developer               http://debiansystem.info
`. `'`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems

Attachment: postfix-smtpd-debug-log.gz
Description: Binary data

Attachment: openssl-s_client-debug-log.gz
Description: Binary data

Attachment: digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)


--- End Message ---
--- Begin Message --- 
Dear submitter,

these bug are tagged lenny without any wheezy/jessie/stretch tag
implying that the bug is not present in more recent Debian releases.

lenny is no longer supported.

We are sorry that we couldn't deal with your issue in squeeze.

If this bug was incorrectly tagged lenny, please reopen the bug
and remove the lenny tag.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

--- End Message ---

Reply via email to