On 17/03/20 2:08 am, Viktor Dukhovni wrote:
For opportunistic TLS, unvalidated certificates are not a failure.
There is no problem, everything is working as expected:
$ posttls-finger -l may -c -L summary gmail.com
posttls-finger: Untrusted TLS connection established to
gmail-smtp-in.l.google.com[2607:f8b0:400d:c0f::1a]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature
RSA-PSS (2048 bits) server-digest SHA256
$ openssl s_client -connect "gmail-smtp-in.l.google.com:25" -servername
"gmail-smtp-in.l.google.com" -starttls smtp <<<"QUIT" | tee >(openssl
x509 -noout -text); sleep 0.1
...
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=mx.google.com
i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
...
Not After : May 19 20:43:24 2020 GMT
...
X509v3 Subject Alternative Name:
...DNS:gmail-smtp-in.l.google.com,...
...
Looks valid to me, unless I'm missing something, or is posttls-finger
missing something?
Peter
