On Sun, Mar 14, 2010 at 09:23:48AM +0100, Richard van den Berg wrote: > On 13-3-10 20:19 , Kurt Roeckx wrote: > >This works for me: > >openssl s_client -CAfile ./vdberg.org.ca.pem -connect vdberg.org:26 > >-starttls smtp > > Interesting. Does this mean the issue is with postfix only? I > checked the postfix code and there is no use of > X509_V_FLAG_CHECK_SS_SIGNATURE that grep can find. I am running > 2.6.5-3 (2.5.5-1.1 had the same issue). Setting smtpd_tls_loglevel = > 3 gives: > > Mar 14 08:47:04 majoron postfix/smtpd[31776]: SSL_accept:error in > SSLv3 read client certificate A > Mar 14 08:47:04 majoron postfix/smtpd[31776]: SSL_accept error from > 82-171-xxx-yyy.ip.telfort.nl[82.171.xxx.yyy]: -1 > Mar 14 08:47:04 majoron postfix/smtpd[31776]: warning: TLS library > problem: 31776:error:0D0C50A1:asn1 encoding > routines:ASN1_item_verify:unknown message digest > algorithm:a_verify.c:146: > > Does this mean the issue is with the client certificate instead of > the server certificate? I am testing with Thunderbird 3.0.3 without > any client certificates, and s_client. Even without the -CAfile the > issue is triggered server side: > > openssl s_client -connect vdberg.org:25 -starttls smtp
Since your testing without client certificate, it shouldn't be a client certificate issue, so I'm not getting it. The seems to be about client certificates. > I'm attaching postfix.pem in case it helps. I can also sign a test > certificate with my CA if needed. I thin postfix sends me the postfix.pem anyway. > PS: my server is back to libssl0.9.8_0.9.8k-8 now, so the s_client > test will succeed now I guess that's why it works for me. Can you reproduce it using an s_server and s_client? Kurt -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
