On Mon, Mar 22, 2010 at 02:01:23PM +0100, Stephen Henson via RT wrote: > > [k...@roeckx.be - Mon Mar 22 09:48:17 2010]: > > > > As far as I can tell client does exactly the same between a connection > > that works and one that doesn't work. The server just closes the > > connection. > > > > No client certificates are being used, but for some reason that gets > > in the error log. The "SSL_accept:error in SSLv3 read client > > certificate A" > > message is printed using the same code as in > > apps/s_cb.c:apps_ssl_info_callback() > > > > I can only reproduce this using postfix if I set smtpd_tls_CAfile and > > the file is the CA that signed my cert. I've tried various other > > combinations but none of them seem to trigger the problem. > > > > I can't reproduce this using s_server. > > > > > > Dovecot seems to be having the same problem, the log now looks like: > > dovecot: imap-login: Disconnected (no auth attempts): > > rip=91.53.xxx.yyy, lip=79.140.xxx.yyy, TLS handshaking: > > SSL_accept() failed: error:0D0C50A1:asn1 encoding > > routines:ASN1_item_verify:unknown message digest algorithm > > > > Note that both cases print the same "unknown message digest > > algorithm" error message. > > > > I notice that the certificate in question is using SHA256. Do the > affected applications call SSL_library_init() only and not > OpenSSL_add_all_algorithms()? If so I'd suggest adding a call to > OpenSSL_add_all_algorithms() to the application too: if that isn't > present it would fail anyway if client certificates used SHA256.
As far as I can see postfix doesn't call either, dovecot only calls SSL_library_init() I will see if I can write a patch for them. Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org