Bug#883232: marked as done (swaks fails to report an error if --tls-verify is used and hostname doesn't match certificate)

Fri, 05 Jan 2024 22:21:19 -0800 

Your message dated Sat, 6 Jan 2024 07:19:49 +0100
with message-id <zzjxbrjblerub...@argenau.bebt.de>
and subject line Re: Bug#883232: swaks fails to report an error if --tls-verify 
is used and hostname doesn't match certificate
has caused the Debian Bug report #883232,
regarding swaks fails to report an error if --tls-verify is used and hostname 
doesn't match certificate
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
883232: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883232
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: swaks
Version: 20170101.0-2
Severity: normal
Tags: upstream

Here is what happens when I try to generate a TLS error:

$ swaks -tls --tls-verify --ehlo test.coker.com.au -f russ...@coker.com.au -t 
exam...@example.com -s pop.sws.net.au               
=== Trying pop.sws.net.au:25...
=== Connected to pop.sws.net.au.
<-  220 smtp.sws.net.au ESMTP Postfix - by sending email to this server you 
agree to the conditions at this URL: 
http://doc.coker.com.au/legal/conditions-of-sending-email/
 -> EHLO test.coker.com.au
<-  250-smtp.sws.net.au
<-  250-PIPELINING
<-  250-SIZE 51200000
<-  250-ETRN
<-  250-STARTTLS
<-  250-AUTH PLAIN LOGIN
<-  250-AUTH=PLAIN LOGIN
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250 SMTPUTF8
 -> STARTTLS
<-  220 2.0.0 Ready to start TLS
=== TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/CN=gpmail.sws.net.au"
 ~> EHLO test.coker.com.au
<~  250-smtp.sws.net.au
<~  250-PIPELINING
<~  250-SIZE 51200000
<~  250-ETRN
<~  250-AUTH PLAIN LOGIN
<~  250-AUTH=PLAIN LOGIN
<~  250-ENHANCEDSTATUSCODES
<~  250-8BITMIME
<~  250-DSN
<~  250 SMTPUTF8
 ~> MAIL FROM:<russ...@coker.com.au>

Here is the sort of result that I expect:
$ gnutls-cli pop.sws.net.au:25 --starttls-proto=smtp  Processed 148 CA 
certificate(s).
Resolving 'pop.sws.net.au:25'...
Connecting to '203.15.121.86:25'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=gpmail.sws.net.au', issuer `CN=Let's Encrypt Authority 
X3,O=Let's Encrypt,C=US', serial 0x047a9875b9f1b27b186ec2a33ea735bc5d09, RSA 
key 2048 bits, signed using RSA-SHA256, activated `2017-10-10 08:12:15 UTC', 
expires `2018-01-08 08:12:15 UTC', 
pin-sha256="SckWTJ2pRMCxLlQYKi/USOxUfjP7hK2MDUdcaVRnyO4="
        Public Key ID:
                sha1:323a845463d17fcb45f7b49eb6742d8ac3eeae97
                
sha256:49c9164c9da944c0b12e54182a2fd448ec547e33fb84ad8c0d475c695467c8ee
        Public Key PIN:
                pin-sha256:SckWTJ2pRMCxLlQYKi/USOxUfjP7hK2MDUdcaVRnyO4=
        Public key's random art:
                +--[ RSA 2048]----+
                |    =o           |
                |   o ..     . . .|
                |  .    .   . . o.|
                | . .    . . .  ..|
                |  . . o So o  . o|
                |   . . o  o   .=o|
                |    o    . o .o.o|
                |     .    E .  . |
                |        .*+.     |
                +-----------------+

- Certificate[1] info:
 - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST 
Root CA X3,O=Digital Signature Trust Co.', serial 
0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, 
activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', 
pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Status: The certificate is NOT trusted. The name in the certificate does not 
match the expected. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages swaks depends on:
ii  perl  5.26.1-2

Versions of packages swaks recommends:
ii  libnet-dns-perl     1.10-2
ii  libnet-ssleay-perl  1.80-1+b2

Versions of packages swaks suggests:
pn  libauthen-ntlm-perl  <none>
ii  libauthen-sasl-perl  2.1600-1
ii  perl-doc             5.26.1-2

-- no debconf information

--- End Message ---
--- Begin Message --- 
Version: 20240103.0-1

On 2017-12-01 Russell Coker <russ...@coker.com.au> wrote:
> Package: swaks
> Version: 20170101.0-2
> Severity: normal
> Tags: upstream

> Here is what happens when I try to generate a TLS error:

> $ swaks -tls --tls-verify --ehlo test.coker.com.au -f russ...@coker.com.au -t 
> exam...@example.com -s pop.sws.net.au
[...]


Hello Russel,

this is fixed in the latest upstream version:
ametzler@argenau:~$ /tmp/swaks -tls --tls-verify --ehlo test.coker.com.au -f 
russ...@coker.com.au -t exam...@example.com -s pop.sws.net.au -q rcpt
=== Trying pop.sws.net.au:25...
[...]
=== TLS peer certificate passed CA verification, failed host verification 
(using host pop.sws.net.au to verify)
*** TLS startup failed (connect(): server certificate did not match target host 
pop.sws.net.au)
*** STARTTLS attempted but failed

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--- End Message ---

Reply via email to