On 30/04/2015 17:38, Viktor Dukhovni wrote:
On Thu, Apr 30, 2015 at 10:29:29AM +0300, Birta Levente wrote:On 30/04/2015 10:17, Viktor Dukhovni wrote:On Thu, Apr 30, 2015 at 10:09:36AM +0300, Birta Levente wrote:OK, I found the problem: I had configured the smtp_tls_CAfile. Removing everything works fine.Was the file malformed? I have a hard time imagining any non-empty set of well-formed certs in that file causing the problem you describe. Did the file contain any PEM X.509 certificates? Does: $ cafile=<your former CAfile> $ openssl crl2pkcs7 -nocrl -certfile "$cafile" | openssl pkcs7 -print_certs -noout | grep -c '^issuer=' report any errors to stderr? How many issuers were reported by grep?No error and only 1 issuer, which was the cacert.org root certificateCan you reproduce the problem by using "-CAfile $cafile" with s_client(1)? I don't see how adding a trusted CA can break the handshake if the CA is well formed. Please provide more information. Please attach a gzipped copy of the CAfile after making sure putting it back restores the problem.
Seems like the CAcert root certificate is not in the acceptable client certificate CA names at the remote server.
Like you ask I attached the gzipped CA certificate#openssl s_client -CAfile CAcert.org_Root_Certificate.pem -starttls smtp -connect irs-ro.mail.eo.outlook.com:25
CONNECTED(00000003) depth=2 CN = Microsoft Internet Authority verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain0 s:/C=US/ST=WA/L=Redmond/O=Microsoft/OU=Forefront Online Protection for Exchange/CN=mail.protection.outlook.com
i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=MSIT Machine Auth CA 2 1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=MSIT Machine Auth CA 2 i:/CN=Microsoft Internet Authority 2 s:/CN=Microsoft Internet Authority i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root --- Server certificate -----BEGIN CERTIFICATE----- MIIHITCCBgmgAwIBAgIKaJVJ8AABAADfvjANBgkqhkiG9w0BAQUFADCBgDETMBEG CgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIG CgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMR8wHQYD VQQDExZNU0lUIE1hY2hpbmUgQXV0aCBDQSAyMB4XDTE0MDUyOTIyMTk0NloXDTE2 MDUxNTIwNTA1NVowgZkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UE BxMHUmVkbW9uZDESMBAGA1UEChMJTWljcm9zb2Z0MTEwLwYDVQQLEyhGb3JlZnJv bnQgT25saW5lIFByb3RlY3Rpb24gZm9yIEV4Y2hhbmdlMSQwIgYDVQQDExttYWls LnByb3RlY3Rpb24ub3V0bG9vay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQC//+TcN6C92y7BZE4E9+3VJfxW/QHCbOdk8/W2rZ9NXK+JfgM8t6lD +Xi9IQflxEnOpuANelypefk5rfpJuiSnGRGMg44xAWQkhhBVynduvDRoddd9ieaC LIC0rcuyeqpvXnw8MPZdp1nRn12XoOrDhUYBke3JRk9JKys5yOec+g5a65nUxp++ jDtQOHCN60n5MmGZH5a+/EX++ZpyC13SISHEcVLNRDMMHzpmYT3h5JjCe3AhMgTy qbjavIddv5lAyuGw9UsSpmjdyQ0gLPepfKscZ/5bp6QRT8rOj3d4jTlAbqsjJM6y PBHxAHXrLiCPC3mn38Eggs7PIAPce47/AgMBAAGjggOAMIIDfDALBgNVHQ8EBAMC BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMHgGCSqGSIb3DQEJDwRr MGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASow CwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcw CgYIKoZIhvcNAwcwHQYDVR0OBBYEFOdAD77qj+T7cfw6+hwbEjOKBl9DMB8GA1Ud IwQYMBaAFOvbEV74CZ7Y1mKc/WKd44RKKOEnMIHuBgNVHR8EgeYwgeMwgeCggd2g gdqGT2h0dHA6Ly9tc2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01T SVQlMjBNYWNoaW5lJTIwQXV0aCUyMENBJTIwMigxKS5jcmyGTWh0dHA6Ly9jcmwu bWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NybC9NU0lUJTIwTWFjaGluZSUyMEF1 dGglMjBDQSUyMDIoMSkuY3JshjhodHRwOi8vY29ycHBraS9jcmwvTVNJVCUyME1h Y2hpbmUlMjBBdXRoJTIwQ0ElMjAyKDEpLmNybDCBrQYIKwYBBQUHAQEEgaAwgZ0w VQYIKwYBBQUHMAKGSWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3Jw L01TSVQlMjBNYWNoaW5lJTIwQXV0aCUyMENBJTIwMigxKS5jcnQwRAYIKwYBBQUH MAKGOGh0dHA6Ly9jb3JwcGtpL2FpYS9NU0lUJTIwTWFjaGluZSUyMEF1dGglMjBD QSUyMDIoMSkuY3J0MD8GCSsGAQQBgjcVBwQyMDAGKCsGAQQBgjcVCIPPiU2t8gKF oZ8MgvrKfYHh+3SBT4PC7YUIjqnShWMCAWQCAQ0wJwYJKwYBBAGCNxUKBBowGDAK BggrBgEFBQcDAjAKBggrBgEFBQcDATCBiAYDVR0RBIGAMH6CFSoubWFpbC5lby5v dXRsb29rLmNvbYIdKi5tYWlsLnByb3RlY3Rpb24ub3V0bG9vay5jb22CG21haWwu cHJvdGVjdGlvbi5vdXRsb29rLmNvbYILb3V0bG9vay5jb22CHG1haWwubWVzc2Fn aW5nLm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEFBQADggEBAG0IKQDUPEOjAOv2 RMUAzyveNL590cdIVRNb3qq9kOOAK2HsUJJy8AE6HXEhgAl2kOyeIUKLlO0iYVRe Viapc0nAcmuGT0AJtNEOaklBBzEAxfMBVsDuo1N9ngGDH4sx0izkM1R6fkN6fjHe lVWeyne4GnJG//RoiQDIoRcETgLhpr+fd972PupvF13ao+tC3L4MEx6K5KfDY4z9 Fvjz+uPd1Y/6h2PwmxyBR2C5G2hkAsKs7ZD2ZhI5JhI+Sle4JLFDcjhdYVHS/dGo s5+lCADuoG4gaPkdHplaqHyF5p8kREhlCOlwhEp3c6LXoTjgG75Lu02V1YKy+DZK v5STRJE= -----END CERTIFICATE-----subject=/C=US/ST=WA/L=Redmond/O=Microsoft/OU=Forefront Online Protection for Exchange/CN=mail.protection.outlook.com
issuer=/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=MSIT Machine Auth CA 2 --- Acceptable client certificate CA names/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3
/C=SI/O=ACNLB /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA/C=HU/L=Budapest/O=NetLock Kft./OU=Tan\xC3\xBAs\xC3\xADtv\xC3\xA1nykiad\xC3\xB3k (Certification Services)/CN=NetLock Arany (Class Gold) F\xC5\x91tan\xC3\xBAs\xC3\xADtv\xC3\xA1ny /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3
/C=SE/O=Carelink/CN=SITHS CA v3/C=TR/L=Gebze - Kocaeli/O=T\xC3\xBCrkiye Bilimsel ve Teknolojik Ara\xC5\x9Ft\xC4\xB1rma Kurumu - T\xC3\x9CB\xC4\xB0TAK/OU=Ulusal Elektronik ve Kriptoloji Ara\xC5\x9Ft\xC4\xB1rma Enstit\xC3\xBCs\xC3\xBC - UEKAE/OU=Kamu Sertifikasyon Merkezi/CN=T\xC3\x9CB\xC4\xB0TAK UEKAE K\xC3\xB6k Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 - S\xC3\xBCr\xC3\xBCm 3
/O=RSA Security Inc/OU=RSA Security 2048 V3 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority /C=US/O=AffirmTrust/CN=AffirmTrust Networking/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2 /C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority/C=AT/L=Vienna/ST=Austria/O=ARGE DATEN - Austrian Society for Data Protection/OU=GLOBALTRUST Certification Service/CN=GLOBALTRUST/emailAddress=i...@globaltrust.info
/C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1 /C=FI/O=Sonera/CN=Sonera Class2 CA/C=ZA/ST=Western Cape/L=Somerset West/O=South African Post Office Limited/OU=SAPO Trust Centre/CN=SAPO Class 3 Root CA/emailAddress=pkiad...@trustcentre.co.za /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
/C=si/O=state-institutions/OU=sigen-ca /O=TeliaSonera/CN=TeliaSonera Root CA v1/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
/C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 Root CA/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) /C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA
/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G2 /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 /O=Cybertrust, Inc/CN=Cybertrust Global Root/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=i...@sgdn.pm.gouv.fr /C=NO/O=Buypass AS-983163327/CN=Buypass Class 3 CA 1 /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA /C=TW/O=Chunghwa Telecom Co., Ltd./OU=ePKI Root Certification Authority /C=CH/O=admin/OU=Services/OU=Certification Authorities/CN=AdminCA-CD-T01/C=EU/O=AC Camerfirma SA CIF A82743287/OU=http://www.chambersign.org/CN=Chambers of Commerce Root
/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority /C=FR/O=Certplus/CN=Class 2 Primary CA /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign /C=KR/O=Government of Korea/OU=GPKI/CN=GPKIRootCA1/C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008 /C=ES/O=Consejo General de la Abogacia NIF:Q-2863006I/CN=Autoridad de Certificacion de la Abogacia
/C=si/O=state-institutions/OU=sigov-ca/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
/C=DK/O=TDC/CN=TDC OCES CA /C=US/O=SecureTrust Corporation/CN=SecureTrust CA/C=HU/L=Budapest/O=Microsec Ltd./CN=Microsec e-Szigno Root CA 2009/emailAddress=i...@e-szigno.hu
/C=CN/O=CNNIC/CN=CNNIC ROOT/CN=EBG Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/O=EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E./C=TR /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2 /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2011
/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2 /C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 CA 1/C=CZ/O=\xC4\x8Cesk\xC3\xA1 po\xC5\xA1ta, s.p. [I\xC4\x8C 47114983]/CN=PostSignum Root QCA 2
/C=BE/O=Certipost s.a./n.v./CN=Certipost E-Trust Primary Normalised CA /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority /C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2011
/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2 /C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 CA 1/C=CZ/O=\xC4\x8Cesk\xC3\xA1 po\xC5\xA1ta, s.p. [I\xC4\x8C 47114983]/CN=PostSignum Root QCA 2
/C=BE/O=Certipost s.a./n.v./CN=Certipost E-Trust Primary Normalised CA /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority /C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority /CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=Ankara/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Kas\xC4\xB1m 2005 /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
/C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign/C=CH/O=The Federal Authorities of the Swiss Confederation/OU=Services/OU=Certification Authorities/CN=Swiss Government Root CA II
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 /C=TW/O=TAIWAN-CA/OU=Root CA/CN=TWCA Root Certification Authority/C=AT/O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH/OU=A-Trust-nQual-03/CN=A-Trust-nQual-03
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign /C=HK/O=Hongkong Post/CN=Hongkong Post Root CA 1 /C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2 /C=NO/O=Buypass AS-983163327/CN=Buypass Class 3 Root CA /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority /CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=Ankara/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Aral\xC4\xB1k 2007 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3
/C=IT/L=Milan/O=Actalis S.p.A./03358520967/CN=Actalis Authentication Root CA /C=US/O=AffirmTrust/CN=AffirmTrust Commercial/C=UY/O=ADMINISTRACION NACIONAL DE CORREOS/OU=SERVICIOS ELECTRONICOS/CN=Correo Uruguayo - Root CA /C=GR/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions RootCA 2011 /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010 /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
/CN=NT AUTHORITY
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 16417 bytes and written 510 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID:
1D310000B6364D5DA979CD1A807F049D5F616EAB1D2EA94ACDA638CBB4352B8E
Session-ID-ctx:
Master-Key:
78D12D8AA4FC6175A27B75F4793D6CBDFC4427C1D29F2A7D0543526F28E4A3E224916F23C5BE528247643879FCA3FC3D
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1430718437
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 CHUNKING
--
Levi
CAcert.org_Root_Certificate.pem.gz
Description: GNU Zip compressed data
