RE: SSL_accept error: smtpd client alert 48

[Dave Thompson]

(Possible duplicate; on my first attempt to send this message 
I got a strange NortonAntiVirus alert, so I am retrying.)

>       From: owner-openssl-us...@openssl.org On Behalf Of Pietro Romanazzi
>       Sent: Friday, 18 December, 2009 05:19

>       On postfix 2.5.7 running on Red Hat Enterprise Linux AS release 4
(Nahant Update 8) I've
>       got the following error message:
<snip>
>       SSL_accept error from 85-18-95-44.ip.fastwebnet.it[85.18.95.44]: 0
>       SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1052:SSL alert number 48:

This is FROM the other system (85-etc) saying they don't like YOUR cert.

<snip>
>       in main.cf there are the following lines concerning TLS
<snip>
>       smtpd_tls_CAfile = /etc/postfix/secure/UTNAddTrustSGCCA.pem
>       smtpd_tls_CApath = /etc/postfix/secure

Aside: OpenSSL cannot normally use both CAfile and CApath (directory).
One of these is probably ignored, but the other is likely sufficient.

>       smtpd_tls_cert_file = /etc/postfix/secure/dns1_rupar_puglia_it.pem
>       smtpd_tls_key_file = /etc/postfix/secure/dns1-key.pem
<snip>
>       I've put into /etc/postfix/secure the CA cerificate of the peer 
> and I've c_rehash(ed) the directory.
        
>       With OpenSSL (simulating the opposite flow) I have the following:
>       openssl s_client -connect 85.18.95.45:25 -starttls smtp -CApath
/etc/postfix/secure
<snip>
>       No client certificate CA names sent
<snip>
>       It seems that the certificate is good and the handshake ends with
success.

Their cert is good in your truststore. s_client didn't send your cert to
them.

Try s_client -key (smtpd__key) -cert (smtpd__cert) (rest as before)

But they don't appear to be requesting it. Make sure they are set to 
at least allow (if not require) client authentication on incoming.

I also notice your address to them is slightly different (..45 not ..44).
Are you certain those are the same host, or at least same config?

If those don't help, the two directions may be different, at least 
for authentication. You may need to see if you can
- get them to connect to a nonstandard port, with openssl s_server waiting
- temporarily stop your smtpd server, run openssl s_server on 25,
and arrange that no one else tries to connect; is this a public 
i.e. MX host, or just an internal/relay type of link?

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org