* Simon Josefsson <[email protected]> [2009-02-10 22:09:18]: > Can you reproduce the problem using gnutls-cli? It sounds as if you > have a RSA-MD5 signature somewhere in your chain, and the chain is > rejected. Please post output of running gnutls-cli against your server > as suggested earlier in this bug.
Here is the output of gnutls-cli to mail.mxes.net on port 993, which is Tuffmail's SSL/TLS IMAP server: Resolving 'mail.mxes.net'... Connecting to '216.86.168.198:993'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: -----BEGIN CERTIFICATE----- MIIDQTCCAqqgAwIBAgIDCd7SMA0GCSqGSIb3DQEBBAUAMFoxCzAJBgNVBAYTAlVT MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4 IFNlY3VyZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwHhcNMDgxMTA5MTYwMTMyWhcN MTEwMTA5MTYwMTMyWjCBsDELMAkGA1UEBhMCVVMxEzARBgNVBAoUCioubXhlcy5u ZXQxEzARBgNVBAsTCkdUNDAzMDI0NjAxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRz c2wuY29tL3Jlc291cmNlcy9jcHMgKGMpMDgxLzAtBgNVBAsTJkRvbWFpbiBDb250 cm9sIFZhbGlkYXRlZCAtIFJhcGlkU1NMKFIpMRMwEQYDVQQDFAoqLm14ZXMubmV0 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzILFjzVEfEenDMZZXOVenNW2w O+qlm4pcbQu8C7IH8utDZ+aSlYqaJjEbxN3AwIZKAXFtIj5FUESzHn5K2n9zCINY i25KgEeNGKUoFzHxids3O78PwPXZ2V34V3Udc9I3q+E+QYCigKG3WZeV3hEjUSLp v8dk1EJFm8o6l5hVgwIDAQABo4G9MIG6MA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4E FgQUxBtqZwl6d9S8rKGd57NxDnzF+1EwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDov L2NybC5nZW90cnVzdC5jb20vY3Jscy9nbG9iYWxjYTEuY3JsMB8GA1UdIwQYMBaA FL6ooHRyUGtEt8kj2Puo/7NXa2hsMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF BQcDAjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAE8nFam1vZCKShd8 anxIySpfAUMdJBALiCI2aAjSvOnnwxthRbyqMudBdyhO8QrKh6PTfv5k1rW97/IM +Dyf8DjkLQtfYMz7Ax6dBFLPOdsE1JZ86p4/beLhHUoJN7y+g1Ms8PsNS9c4RJDz xSu4vmEpEZ7WlI/afsa1cz+PqaEj -----END CERTIFICATE----- # The hostname in the certificate matches 'mail.mxes.net'. # valid since: Sun Nov 9 11:01:32 EST 2008 # expires at: Sun Jan 9 11:01:32 EST 2011 # fingerprint: F0:F0:94:FD:2C:04:86:BF:BF:49:D1:5E:B9:B3:B0:01 # Subject's DN: C=US,O=*.mxes.net,OU=GT40302460,OU=See www.rapidssl.com/resources/cps (c)08,OU=Domain Control Validated - RapidSSL(R),CN=*.mxes.net # Issuer's DN: C=US,O=Equifax Secure Inc.,CN=Equifax Secure Global eBusiness CA-1 - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS1.0 - Key Exchange: RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed - Simple Client Mode: I am no certificate guru, but isn't Tuffmail's cert signed by a top level CA directly, much like Gabor's situation above? > > If you could quote some error messages from mutt and msmtp, that will > also help -- however, to debug it is best to first try to isolate the > problem using gnutls-cli. If it's not possible to reproduce using > gnutls-cli, I would suggest a mutt/msmtp problem. > The mutt issue is strange -- after libgnutls was updated, when I first ran mutt, it acted like the Tuffmail cert was new (even though it is saved in my ~/.mutt/mutt_certs file). I pressed 'a' to 'accept always' and it said 'Could not save certificate.' So, I moved my mutt_certs and 'touched' an empty mutt_certs file and reran mutt. This time it saved the cert -- once. When I ran mutt a third time, I got the message about not being able to save the cert again! So it works once and then won't work again. It is exactly the same problem mentioned here: http://does-not-exist.org/mail-archives/mutt-users/msg04515.html As to msmtp, when I try to send with the updated libgnutls26, it says 'TLS certificate verification failed: the certificate is not trusted'. Similar to this report (which links to another Debian bug report) about msmtp suddenly not working after a libgnutls update: http://ubuntuforums.org/showthread.php?t=996779 I hate to belabor this point, but my mutt and msmtp setup with Tuffmail has worked for many years on Debian, Slackware, FreeBSD, and OpenBSD. I use the same configs on all. I only experienced problems when libgnutls26 was recently updated in Lenny. I have downgraded to 2.4.2-4 and now everything is OK again. In fact, that's how I can send you this email using mutt, msmtp, through my account at Tuffmail. :-) If there is anything else I can provide to help debug, please do not hesitate to ask. -- Chess Griffin
signature.asc
Description: Digital signature
