Hey there...
On 2013-12-27, at 2:47 PM, Bobber wrote: > > On 12/27/2013 01:29 PM, Viktor Dukhovni wrote: >> On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote: >> >>> I recently upgraded my companies' mail server to 64 Debian Wheezy. I >>> am using the Openssl package which is version 1.0.1e-2. >>> >>> I am having problems when trying to send a message to one of our >>> business partners. The SMTP session appears to shut down and it >>> appears that my server is rejecting their certificate. >>> >>> Here is the openssl command I am giving to diagnose the problem and >>> it's output. Can anyone suggest a solution? It appears to me that >>> I may be lacking an intermediary certificate. How do I fix this if >>> this is the case? >>> >>>> openssl s_client -CApath /etc/ssl/certs/ -crlf -starttls smtp >>>> -connect mail.thelawrencegroup.com:25 >> The posttls-finger(1) utility, included with Postfix 2.11 snapshot >> source code, does a much better job of mail server TLS diagnostics. >> Their certificate is expired. Your MTA really ought to log the >> error reason. Consider a better MTA! :-) > I don't see anywhere that it says expired other than this utility. How can I > verify that it is really expired? These guys do business with lots of other > people but have not noticed anything except with us. The openssl error code > 20 indicates an improper intermediate CA from what I can find. Also using > this site indicates no problem: http://www.checktls.com/testreceiver.html > > Is there another way to verify the expiration? Grabbing the certificate using the command line that you posted: Certificate: Data: Version: 3 (0x2) Serial Number: 37:dc:80:c0:bf:94:54:35:24:af:1c:14:28:8b:ce:19 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)05, CN=VeriSign Class 3 Secure Server CA Validity Not Before: Dec 15 00:00:00 2005 GMT Not After : Dec 21 23:59:59 2008 GMT Subject: C=US, ST=Missouri, L=Saint Louis, O=The Lawrence Group, OU=IT, OU=Terms of use at www.verisign.com/rpa (c)05, CN=mail.thelawrencegroup.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b0:75:d6:b4:20:75:3b:22:a9:82:7b:81:17:e6: 22:b3:d9:ac:5a:b4:ce:6e:83:0e:e7:4b:d8:54:f9: dd:b5:6d:48:2e:66:3b:84:6c:b9:82:50:8b:57:a5: b6:86:ed:11:79:47:d3:24:73:5d:8d:5e:26:e1:af: 69:1a:ef:27:34:46:1a:8d:00:0b:42:e3:01:ff:d1: 70:36:65:76:e1:99:2c:43:f1:a4:17:21:8a:cb:0b: dc:b0:33:54:ac:fd:5b:b1:7f:83:98:84:96:27:37: 39:b0:d4:64:c3:d2:4e:ee:db:99:f4:7b:34:29:14: a6:c4:24:b9:3b:39:bf:48:67 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 CRL Distribution Points: URI:http://SVRSecure-crl.verisign.com/SVRSecure2005.crl X509v3 Certificate Policies: Policy: 2.16.840.1.113733.1.7.23.3 CPS: https://www.verisign.com/rpa X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Authority Key Identifier: keyid:6F:EC:AF:A0:DD:8A:A4:EF:F5:2A:10:67:2D:3F:55:82:BC:D7:EF:25 Authority Information Access: OCSP - URI:http://ocsp.verisign.com CA Issuers - URI:http://SVRSecure-aia.verisign.com/SVRSecure2005-aia.cer 1.3.6.1.5.5.7.1.12: 0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif Signature Algorithm: sha1WithRSAEncryption 40:74:d0:61:86:b8:e6:a1:5b:98:7b:9c:fb:68:70:81:58:1e: 98:dd:b9:74:53:02:1e:b8:d3:51:0a:3c:2d:6c:80:5c:14:ed: 54:3d:c8:6b:f0:d0:6e:5f:c0:c8:e0:1c:3f:12:4d:cf:85:04: 0b:6f:fd:c8:50:51:67:ee:e5:df:b3:c8:ce:dd:1d:cd:25:4c: cc:a3:58:c3:6a:38:73:05:5f:5d:13:46:8e:ba:f6:33:b8:77: 6a:c2:cf:eb:52:6d:2e:39:40:26:47:5a:1b:e7:4a:d9:fe:44: dc:08:67:a6:ae:fa:f3:c1:ff:db:c4:b3:f6:7d:b7:00:95:aa: 87:86:fc:b1:6e:c5:0f:ad:7e:1c:01:cd:43:76:a3:d3:74:c5: 31:29:20:98:48:14:aa:5a:26:a6:6a:8a:64:0f:92:39:76:ff: f5:d7:aa:85:d5:55:72:1a:d2:98:76:e6:7e:ed:c0:bf:10:fc: 2f:9c:56:09:6b:c3:ff:2e:12:9b:9c:0d:b1:91:53:1f:da:91: c4:38:93:92:bb:ff:cf:00:f2:e0:fd:b3:b1:1c:28:7c:62:ea: e0:cb:18:2f:e4:39:f5:52:d8:13:7a:9e:51:4a:6a:d8:69:cf: 84:57:76:a4:90:eb:b0:cc:13:e5:da:1f:1c:75:b2:26:27:94: 1e:a8:e1:6e You will notice that the "Not After" line does, in fact, indicate that their cert is expired. And not only expired, but expired a long time ago. Why does no-one else notice? Probably because you've got your server set to actually validate TLS certs, as opposed to most of the world that doesn't. :) Have fun! --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org