Re: Verisign Problem with smtp tls
On Fri, Dec 27, 2013 at 04:11:40PM -0600, Bobber wrote: > > > TLS started w/ cipher DES-CBC3-SHA > > > >There's your problem! This server (likely Exchange 2003) has a > >broken implementation of 3DES CBC padding (search Postfix users > >archives for my posts on the subject), and your cipher list is > >either long enough to cause it to not see RC4-SHA and RC4-MD5 or > >you've disabled RC4 (directly, or by only enabling HIGH grade > >ciphers). > > Does Micro$oft have a fix for this? They did, in 2007, but the software in question is no longer supported and AFAIK the hotfix is no longer available. The domain in question is running "abandon-ware". -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verisign Problem with smtp tls
On Fri, Dec 27, 2013 at 09:39:52PM +, Viktor Dukhovni wrote: > On Fri, Dec 27, 2013 at 03:28:46PM -0600, Bobber wrote: > > > >=== TLS started w/ cipher DES-CBC3-SHA > > >=== TLS peer subject DN="/C=US/ST=Missouri/L=Saint Louis/O=The > > >Lawrence Group/OU=IT/OU=Terms of use at www.verisign.com/rpa > > >(c)05/CN=mail.thelawrencegroup.com" > > There's your problem! This server (likely Exchange 2003) has a > broken implementation of 3DES CBC padding (search Postfix users > archives for my posts on the subject), and your cipher list is > either long enough to cause it to not see RC4-SHA and RC4-MD5 or > you've disabled RC4 (directly, or by only enabling HIGH grade > ciphers). > > Exchange 2003 servers can't do better than RC4-SHA. Confirmed, this server has the Exchange 2003 cipher-count limit problem. When RC4-SHA and RC4-MD5 are too low on the cipher-list, TLS breaks. If your MTA allows you configure a custom set of cipher suites for a given set of destinations, then configure this set of cipher suites for mail sent to Exchange 2003 machines (cipherlist setting for Postfix "transport", Exim "router", Sendmail "mailer", etc): aRSA+AES128+kEECDH:aRSA+AES128+kEDH:aRSA+AES128+kRSA:RC4-SHA:@STRENGTH This cipherlist allows for the possibility of eventual upgrades that yield AES128 support, but otherwise falls back to RC4-SHA. The list if matching ciphers is well short of the 64 limit. In OpenSSL 1.0.1e it comes to: $ openssl ciphers -v \ 'aRSA+AES128+kEECDH:aRSA+AES128+kEDH:aRSA+AES128+kRSA:RC4-SHA:@STRENGTH' ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHASSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verisign Problem with smtp tls
On 12/27/2013 03:39 PM, Viktor Dukhovni wrote: On Fri, Dec 27, 2013 at 03:28:46PM -0600, Bobber wrote: === TLS started w/ cipher DES-CBC3-SHA === TLS peer subject DN="/C=US/ST=Missouri/L=Saint Louis/O=The Lawrence Group/OU=IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=mail.thelawrencegroup.com" There's your problem! This server (likely Exchange 2003) has a broken implementation of 3DES CBC padding (search Postfix users archives for my posts on the subject), and your cipher list is either long enough to cause it to not see RC4-SHA and RC4-MD5 or you've disabled RC4 (directly, or by only enabling HIGH grade ciphers). Does Micro$oft have a fix for this? -- Bob Wooldridge Blog: http://kc0dxf.net/blog
Re: Verisign Problem with smtp tls
On Fri, Dec 27, 2013 at 03:28:46PM -0600, Bobber wrote: > >=== TLS started w/ cipher DES-CBC3-SHA > >=== TLS peer subject DN="/C=US/ST=Missouri/L=Saint Louis/O=The > >Lawrence Group/OU=IT/OU=Terms of use at www.verisign.com/rpa > >(c)05/CN=mail.thelawrencegroup.com" There's your problem! This server (likely Exchange 2003) has a broken implementation of 3DES CBC padding (search Postfix users archives for my posts on the subject), and your cipher list is either long enough to cause it to not see RC4-SHA and RC4-MD5 or you've disabled RC4 (directly, or by only enabling HIGH grade ciphers). Exchange 2003 servers can't do better than RC4-SHA. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verisign Problem with smtp tls
On 12/27/2013 02:22 PM, Viktor Dukhovni wrote: You're posting to the wrong forum. The problem is not OpenSSL, rather you have an updated release of your MTA. (Is it Exim or Postfix? Go to the corresponding mailing list). OpenSSL performs whatever certificate verification your MTA asks for. Perhaps your Debian software upgrade modified your MTA configuration, or your new MTA is not backwards compatible in its TLS support (this would rule out Postfix, which is). Here is output from the swaks command line tool. You can see at the end that it is the remote server which is closing the connection and not my MTA: swaks -tls --from r...@edm-inc.com --to nosuchu...@thelawrencegroup.com --server mail.thelawrencegroup.com === Trying mail.thelawrencegroup.com:25... === Connected to mail.thelawrencegroup.com. <- 220 mail.thelawrencegroup.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Fri, 27 Dec 2013 15:22:54 -0600 -> EHLO mail.edm-inc.com <- 250-mail.thelawrencegroup.com Hello [68.143.19.38] <- 250-TURN <- 250-SIZE <- 250-ETRN <- 250-PIPELINING <- 250-DSN <- 250-ENHANCEDSTATUSCODES <- 250-8bitmime <- 250-BINARYMIME <- 250-CHUNKING <- 250-VRFY <- 250-TLS <- 250-STARTTLS <- 250-X-EXPS GSSAPI NTLM LOGIN <- 250-X-EXPS=LOGIN <- 250-AUTH GSSAPI NTLM LOGIN <- 250-AUTH=LOGIN <- 250-X-LINK2STATE <- 250-XEXCH50 <- 250 OK -> STARTTLS <- 220 2.0.0 SMTP server ready === TLS started w/ cipher DES-CBC3-SHA === TLS peer subject DN="/C=US/ST=Missouri/L=Saint Louis/O=The Lawrence Group/OU=IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=mail.thelawrencegroup.com" ~> EHLO mail.edm-inc.com <~ 250-mail.thelawrencegroup.com Hello [68.143.19.38] <~ 250-TURN <~ 250-SIZE <~ 250-ETRN <~ 250-PIPELINING <~ 250-DSN <~ 250-ENHANCEDSTATUSCODES <~ 250-8bitmime <~ 250-BINARYMIME <~ 250-CHUNKING <~ 250-VRFY <~ 250-X-EXPS GSSAPI NTLM LOGIN <~ 250-X-EXPS=LOGIN <~ 250-AUTH GSSAPI NTLM LOGIN <~ 250-AUTH=LOGIN <~ 250-X-LINK2STATE <~ 250-XEXCH50 <~ 250 OK ~> MAIL FROM: *** Remote host closed connection unexpectedly. -- Bob Wooldridge Blog: http://kc0dxf.net/blog
Re: Verisign Problem with smtp tls
On Fri, Dec 27, 2013 at 02:07:56PM -0600, Bobber wrote: > Yes, thanks Andrew, I got it. I see that it is expired. I am still a > bit baffled. I upgraded my mail server just a couple of weeks ago > from Debian Squeeze. Everything was fine before then. Is there a > different check involved in the latest openssl? You're posting to the wrong forum. The problem is not OpenSSL, rather you have an updated release of your MTA. (Is it Exim or Postfix? Go to the corresponding mailing list). OpenSSL performs whatever certificate verification your MTA asks for. Perhaps your Debian software upgrade modified your MTA configuration, or your new MTA is not backwards compatible in its TLS support (this would rule out Postfix, which is). -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verisign Problem with smtp tls
On Fri, Dec 27, 2013 at 02:54:55PM -0500, Patrick Patterson wrote: > Why does no-one else notice? Probably because you've got your > server set to actually validate TLS certs, as opposed to most of > the world that doesn't. :) With SMTP, PKIX certificate verification is pointless without explicit per-destination configuration: http://vdukhovni.github.io/ietf/draft-ietf-dane-smtp-with-dane-05.html#rfc.section.1.2 This is why I am working to implement and standardize SMTP with DANE TLS. The OP has not explained whether the destination in question has been specifically selected for TLS authentication, or whether TLS authentication is attempted with all destinations that do STATTLS. Most businesses that do mandatory SMTP TLS for compliance reasons protect only against passive attacks (don't send in the clear). Configuration of pre-DANE authenticated SMTP TLS is too difficult. The OP might want to configure his MTA to only require TLS encryption when sending to the site in question, without authentication. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verisign Problem with smtp tls
Bobber wrote on 12/27/2013 02:47:47 PM: > I don't see anywhere that it says expired other than this utility. How > can I verify that it is really expired? In case you don't trust your openssl install, here is an easy approach using windows: 1. Select everything between -BEGIN CERTIFICATE- and -END CERTIFICATE- 2. Paste into a "notepad". Delete the "> " at the beginning of each line. 3. Save the file, say as "test.txt". 4. From the file manager, change the extension to "test.cer" -- the cer means "certificate". 5. Double click on the file. It will bring up a lot of information about the certificate. -- Dr. Robert "Woody" GBS Cybersecurity & Weaver Privacy IT Security Architect Cell: 301-524-8138 -- The naked truth of it is, I have no shirt. -- William Shakespeare, "Love's Labour's Lost" <>
Re: Verisign Problem with smtp tls
On 12/27/2013 01:54 PM, andrew cooke wrote: On Fri, Dec 27, 2013 at 04:53:41PM -0300, Andrew Cooke wrote: i am not following this in any detail, but if you look at the certificate you included in your original email it expired in 2008. just look at it with openssl -text -in openssl x509 -text -in Yes, thanks Andrew, I got it. I see that it is expired. I am still a bit baffled. I upgraded my mail server just a couple of weeks ago from Debian Squeeze. Everything was fine before then. Is there a different check involved in the latest openssl? -- Bob Wooldridge bob...@kc0dxf.net Blog: http://kc0dxf.net/blog/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verisign Problem with smtp tls
Hey there...
On 2013-12-27, at 2:47 PM, Bobber wrote:
>
> On 12/27/2013 01:29 PM, Viktor Dukhovni wrote:
>> On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote:
>>
>>> I recently upgraded my companies' mail server to 64 Debian Wheezy. I
>>> am using the Openssl package which is version 1.0.1e-2.
>>>
>>> I am having problems when trying to send a message to one of our
>>> business partners. The SMTP session appears to shut down and it
>>> appears that my server is rejecting their certificate.
>>>
>>> Here is the openssl command I am giving to diagnose the problem and
>>> it's output. Can anyone suggest a solution? It appears to me that
>>> I may be lacking an intermediary certificate. How do I fix this if
>>> this is the case?
>>>
openssl s_client -CApath /etc/ssl/certs/ -crlf -starttls smtp
-connect mail.thelawrencegroup.com:25
>> The posttls-finger(1) utility, included with Postfix 2.11 snapshot
>> source code, does a much better job of mail server TLS diagnostics.
>> Their certificate is expired. Your MTA really ought to log the
>> error reason. Consider a better MTA! :-)
> I don't see anywhere that it says expired other than this utility. How can I
> verify that it is really expired? These guys do business with lots of other
> people but have not noticed anything except with us. The openssl error code
> 20 indicates an improper intermediate CA from what I can find. Also using
> this site indicates no problem: http://www.checktls.com/testreceiver.html
>
> Is there another way to verify the expiration?
Grabbing the certificate using the command line that you posted:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
37:dc:80:c0:bf:94:54:35:24:af:1c:14:28:8b:ce:19
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of
use at https://www.verisign.com/rpa (c)05, CN=VeriSign Class 3 Secure Server CA
Validity
Not Before: Dec 15 00:00:00 2005 GMT
Not After : Dec 21 23:59:59 2008 GMT
Subject: C=US, ST=Missouri, L=Saint Louis, O=The Lawrence Group, OU=IT,
OU=Terms of use at www.verisign.com/rpa (c)05, CN=mail.thelawrencegroup.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b0:75:d6:b4:20:75:3b:22:a9:82:7b:81:17:e6:
22:b3:d9:ac:5a:b4:ce:6e:83:0e:e7:4b:d8:54:f9:
dd:b5:6d:48:2e:66:3b:84:6c:b9:82:50:8b:57:a5:
b6:86:ed:11:79:47:d3:24:73:5d:8d:5e:26:e1:af:
69:1a:ef:27:34:46:1a:8d:00:0b:42:e3:01:ff:d1:
70:36:65:76:e1:99:2c:43:f1:a4:17:21:8a:cb:0b:
dc:b0:33:54:ac:fd:5b:b1:7f:83:98:84:96:27:37:
39:b0:d4:64:c3:d2:4e:ee:db:99:f4:7b:34:29:14:
a6:c4:24:b9:3b:39:bf:48:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
URI:http://SVRSecure-crl.verisign.com/SVRSecure2005.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://www.verisign.com/rpa
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Authority Key Identifier:
keyid:6F:EC:AF:A0:DD:8A:A4:EF:F5:2A:10:67:2D:3F:55:82:BC:D7:EF:25
Authority Information Access:
OCSP - URI:http://ocsp.verisign.com
CA Issuers -
URI:http://SVRSecure-aia.verisign.com/SVRSecure2005-aia.cer
1.3.6.1.5.5.7.1.12:
0_.].[0Y0W0U..image/gif0!0.0...+..k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
Signature Algorithm: sha1WithRSAEncryption
40:74:d0:61:86:b8:e6:a1:5b:98:7b:9c:fb:68:70:81:58:1e:
98:dd:b9:74:53:02:1e:b8:d3:51:0a:3c:2d:6c:80:5c:14:ed:
54:3d:c8:6b:f0:d0:6e:5f:c0:c8:e0:1c:3f:12:4d:cf:85:04:
0b:6f:fd:c8:50:51:67:ee:e5:df:b3:c8:ce:dd:1d:cd:25:4c:
cc:a3:58:c3:6a:38:73:05:5f:5d:13:46:8e:ba:f6:33:b8:77:
6a:c2:cf:eb:52:6d:2e:39:40:26:47:5a:1b:e7:4a:d9:fe:44:
dc:08:67:a6:ae:fa:f3:c1:ff:db:c4:b3:f6:7d:b7:00:95:aa:
87:86:fc:b1:6e:c5:0f:ad:7e:1c:01:cd:43:76:a3:d3:74:c5:
31:29:20:98:48:14:aa:5a:26:a6:6a:8a:64:0f:92:39:76:ff:
f5:d7:aa:85:d5:55:72:1a:d2:98:76:e6:7e:ed:c0:bf:10:fc:
2f:9c:56:09:6b:c3:ff:2e:12:9b:9c:0d:b1:91:53:1f:da:91:
c4:38:93:92:bb:ff:cf:00:f2:e0:fd:b3:b1:1c:28:7c:62:ea:
e0:cb:18:2f:e4:39:f5:52:d8:13:7a:9e:51:4a:6a:d8:69:cf:
84:57:76:a4:90:eb:b0:cc:13:e5:da:1f:1c:75:b2:26:27:94:
1e:a8:e1:6e
You will not
Re: Verisign Problem with smtp tls
On 12/27/2013 01:53 PM, andrew cooke wrote: i am not following this in any detail, but if you look at the certificate you included in your original email it expired in 2008. just look at it with openssl -text -in Ok, that's good. Thanks. sorry if i'm jumping into something i've misunderstood, andrew -- Bob Wooldridge bob...@kc0dxf.net Blog: http://kc0dxf.net/blog/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verisign Problem with smtp tls
On Fri, Dec 27, 2013 at 04:53:41PM -0300, Andrew Cooke wrote: > > i am not following this in any detail, but if you look at the certificate you > included in your original email it expired in 2008. just look at it with > >openssl -text -in openssl x509 -text -in > sorry if i'm jumping into something i've misunderstood, > andrew > > > On Fri, Dec 27, 2013 at 01:47:47PM -0600, Bobber wrote: > > > > On 12/27/2013 01:29 PM, Viktor Dukhovni wrote: > > >On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote: > > > > > >>I recently upgraded my companies' mail server to 64 Debian Wheezy. I > > >>am using the Openssl package which is version 1.0.1e-2. > > >> > > >>I am having problems when trying to send a message to one of our > > >>business partners. The SMTP session appears to shut down and it > > >>appears that my server is rejecting their certificate. > > >> > > >>Here is the openssl command I am giving to diagnose the problem and > > >>it's output. Can anyone suggest a solution? It appears to me that > > >>I may be lacking an intermediary certificate. How do I fix this if > > >>this is the case? > > >> > > >>>openssl s_client -CApath /etc/ssl/certs/ -crlf -starttls smtp > > >>>-connect mail.thelawrencegroup.com:25 > > >The posttls-finger(1) utility, included with Postfix 2.11 snapshot > > >source code, does a much better job of mail server TLS diagnostics. > > >Their certificate is expired. Your MTA really ought to log the > > >error reason. Consider a better MTA! :-) > > I don't see anywhere that it says expired other than this utility. > > How can I verify that it is really expired? These guys do business > > with lots of other people but have not noticed anything except with > > us. The openssl error code 20 indicates an improper intermediate CA > > from what I can find. Also using this site indicates no problem: > > http://www.checktls.com/testreceiver.html > > > > Is there another way to verify the expiration? > > > > > > $ posttls-finger "[mail.thelawrencegroup.com]" > > > posttls-finger: Connected to > > > mail.thelawrencegroup.com[206.16.127.29]:25 > > > posttls-finger: < 220 mail.thelawrencegroup.com Microsoft ESMTP MAIL > > > Service, Version: 6.0.3790.4675 ready at Fri, 27 Dec 2013 13:13:52 -0600 > > > posttls-finger: > EHLO amnesiac.example > > > posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1] > > > posttls-finger: < 250-TURN > > > posttls-finger: < 250-SIZE > > > posttls-finger: < 250-ETRN > > > posttls-finger: < 250-PIPELINING > > > posttls-finger: < 250-DSN > > > posttls-finger: < 250-ENHANCEDSTATUSCODES > > > posttls-finger: < 250-8bitmime > > > posttls-finger: < 250-BINARYMIME > > > posttls-finger: < 250-CHUNKING > > > posttls-finger: < 250-VRFY > > > posttls-finger: < 250-TLS > > > posttls-finger: < 250-STARTTLS > > > posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN > > > posttls-finger: < 250-X-EXPS=LOGIN > > > posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN > > > posttls-finger: < 250-AUTH=LOGIN > > > posttls-finger: < 250-X-LINK2STATE > > > posttls-finger: < 250-XEXCH50 > > > posttls-finger: < 250 OK > > > posttls-finger: > STARTTLS > > > posttls-finger: < 220 2.0.0 SMTP server ready > > > posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25 Matched > > > CommonName mail.thelawrencegroup.com > > > posttls-finger: server certificate verification failed for > > > mail.thelawrencegroup.com[206.16.127.29]:25: certificate has expired > > > posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25: > > > subject_CN=mail.thelawrencegroup.com, issuer_CN=VeriSign Class 3 Secure > > > Server CA, > > > fingerprint=58:83:F8:69:1B:45:53:BA:21:36:19:01:B4:C9:7A:A9:54:62:79:57, > > > pkey_fingerprint=84:43:0D:55:D9:F8:D3:C5:59:D3:9D:33:42:B3:2E:A4:9B:FE:96:4D > > > posttls-finger: Untrusted TLS connection established to > > > mail.thelawrencegroup.com[206.16.127.29]:25: unknown with cipher RC4-MD5 > > > (128/128 bits) > > > posttls-finger: > EHLO amnesiac.example > > > posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1] > > > posttls-finger: < 250-TURN > > > posttls-finger: < 250-SIZE > > > posttls-finger: < 250-ETRN > > > posttls-finger: < 250-PIPELINING > > > posttls-finger: < 250-DSN > > > posttls-finger: < 250-ENHANCEDSTATUSCODES > > > posttls-finger: < 250-8bitmime > > > posttls-finger: < 250-BINARYMIME > > > posttls-finger: < 250-CHUNKING > > > posttls-finger: < 250-VRFY > > > posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN > > > posttls-finger: < 250-X-EXPS=LOGIN > > > posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN > > > posttls-finger: < 250-AUTH=LOGIN > > > posttls-finger: < 250-X-LINK2STATE > > > posttls-finger: < 250-XEXCH50 > > > posttls-finger: < 250 OK > > > posttls-finger: > QUIT > > > posttls-finger: < 221 2.0.0 ma
Re: Verisign Problem with smtp tls
i am not following this in any detail, but if you look at the certificate you included in your original email it expired in 2008. just look at it with openssl -text -in sorry if i'm jumping into something i've misunderstood, andrew On Fri, Dec 27, 2013 at 01:47:47PM -0600, Bobber wrote: > > On 12/27/2013 01:29 PM, Viktor Dukhovni wrote: > >On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote: > > > >>I recently upgraded my companies' mail server to 64 Debian Wheezy. I > >>am using the Openssl package which is version 1.0.1e-2. > >> > >>I am having problems when trying to send a message to one of our > >>business partners. The SMTP session appears to shut down and it > >>appears that my server is rejecting their certificate. > >> > >>Here is the openssl command I am giving to diagnose the problem and > >>it's output. Can anyone suggest a solution? It appears to me that > >>I may be lacking an intermediary certificate. How do I fix this if > >>this is the case? > >> > >>>openssl s_client -CApath /etc/ssl/certs/ -crlf -starttls smtp > >>>-connect mail.thelawrencegroup.com:25 > >The posttls-finger(1) utility, included with Postfix 2.11 snapshot > >source code, does a much better job of mail server TLS diagnostics. > >Their certificate is expired. Your MTA really ought to log the > >error reason. Consider a better MTA! :-) > I don't see anywhere that it says expired other than this utility. > How can I verify that it is really expired? These guys do business > with lots of other people but have not noticed anything except with > us. The openssl error code 20 indicates an improper intermediate CA > from what I can find. Also using this site indicates no problem: > http://www.checktls.com/testreceiver.html > > Is there another way to verify the expiration? > > > > $ posttls-finger "[mail.thelawrencegroup.com]" > > posttls-finger: Connected to mail.thelawrencegroup.com[206.16.127.29]:25 > > posttls-finger: < 220 mail.thelawrencegroup.com Microsoft ESMTP MAIL > > Service, Version: 6.0.3790.4675 ready at Fri, 27 Dec 2013 13:13:52 -0600 > > posttls-finger: > EHLO amnesiac.example > > posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1] > > posttls-finger: < 250-TURN > > posttls-finger: < 250-SIZE > > posttls-finger: < 250-ETRN > > posttls-finger: < 250-PIPELINING > > posttls-finger: < 250-DSN > > posttls-finger: < 250-ENHANCEDSTATUSCODES > > posttls-finger: < 250-8bitmime > > posttls-finger: < 250-BINARYMIME > > posttls-finger: < 250-CHUNKING > > posttls-finger: < 250-VRFY > > posttls-finger: < 250-TLS > > posttls-finger: < 250-STARTTLS > > posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN > > posttls-finger: < 250-X-EXPS=LOGIN > > posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN > > posttls-finger: < 250-AUTH=LOGIN > > posttls-finger: < 250-X-LINK2STATE > > posttls-finger: < 250-XEXCH50 > > posttls-finger: < 250 OK > > posttls-finger: > STARTTLS > > posttls-finger: < 220 2.0.0 SMTP server ready > > posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25 Matched > > CommonName mail.thelawrencegroup.com > > posttls-finger: server certificate verification failed for > > mail.thelawrencegroup.com[206.16.127.29]:25: certificate has expired > > posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25: > > subject_CN=mail.thelawrencegroup.com, issuer_CN=VeriSign Class 3 Secure > > Server CA, > > fingerprint=58:83:F8:69:1B:45:53:BA:21:36:19:01:B4:C9:7A:A9:54:62:79:57, > > pkey_fingerprint=84:43:0D:55:D9:F8:D3:C5:59:D3:9D:33:42:B3:2E:A4:9B:FE:96:4D > > posttls-finger: Untrusted TLS connection established to > > mail.thelawrencegroup.com[206.16.127.29]:25: unknown with cipher RC4-MD5 > > (128/128 bits) > > posttls-finger: > EHLO amnesiac.example > > posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1] > > posttls-finger: < 250-TURN > > posttls-finger: < 250-SIZE > > posttls-finger: < 250-ETRN > > posttls-finger: < 250-PIPELINING > > posttls-finger: < 250-DSN > > posttls-finger: < 250-ENHANCEDSTATUSCODES > > posttls-finger: < 250-8bitmime > > posttls-finger: < 250-BINARYMIME > > posttls-finger: < 250-CHUNKING > > posttls-finger: < 250-VRFY > > posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN > > posttls-finger: < 250-X-EXPS=LOGIN > > posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN > > posttls-finger: < 250-AUTH=LOGIN > > posttls-finger: < 250-X-LINK2STATE > > posttls-finger: < 250-XEXCH50 > > posttls-finger: < 250 OK > > posttls-finger: > QUIT > > posttls-finger: < 221 2.0.0 mail.thelawrencegroup.com Service closing > > transmission channel > > > > -- > > Bob Wooldridge > bob...@kc0dxf.net > Blog: http://kc0dxf.net/blog/ > > __ > OpenSSL Project http://www.openssl.org >
Re: Verisign Problem with smtp tls
On 12/27/2013 01:29 PM, Viktor Dukhovni wrote: On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote: I recently upgraded my companies' mail server to 64 Debian Wheezy. I am using the Openssl package which is version 1.0.1e-2. I am having problems when trying to send a message to one of our business partners. The SMTP session appears to shut down and it appears that my server is rejecting their certificate. Here is the openssl command I am giving to diagnose the problem and it's output. Can anyone suggest a solution? It appears to me that I may be lacking an intermediary certificate. How do I fix this if this is the case? openssl s_client -CApath /etc/ssl/certs/ -crlf -starttls smtp -connect mail.thelawrencegroup.com:25 The posttls-finger(1) utility, included with Postfix 2.11 snapshot source code, does a much better job of mail server TLS diagnostics. Their certificate is expired. Your MTA really ought to log the error reason. Consider a better MTA! :-) I don't see anywhere that it says expired other than this utility. How can I verify that it is really expired? These guys do business with lots of other people but have not noticed anything except with us. The openssl error code 20 indicates an improper intermediate CA from what I can find. Also using this site indicates no problem: http://www.checktls.com/testreceiver.html Is there another way to verify the expiration? $ posttls-finger "[mail.thelawrencegroup.com]" posttls-finger: Connected to mail.thelawrencegroup.com[206.16.127.29]:25 posttls-finger: < 220 mail.thelawrencegroup.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Fri, 27 Dec 2013 13:13:52 -0600 posttls-finger: > EHLO amnesiac.example posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1] posttls-finger: < 250-TURN posttls-finger: < 250-SIZE posttls-finger: < 250-ETRN posttls-finger: < 250-PIPELINING posttls-finger: < 250-DSN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8bitmime posttls-finger: < 250-BINARYMIME posttls-finger: < 250-CHUNKING posttls-finger: < 250-VRFY posttls-finger: < 250-TLS posttls-finger: < 250-STARTTLS posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN posttls-finger: < 250-X-EXPS=LOGIN posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN posttls-finger: < 250-AUTH=LOGIN posttls-finger: < 250-X-LINK2STATE posttls-finger: < 250-XEXCH50 posttls-finger: < 250 OK posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 SMTP server ready posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25 Matched CommonName mail.thelawrencegroup.com posttls-finger: server certificate verification failed for mail.thelawrencegroup.com[206.16.127.29]:25: certificate has expired posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25: subject_CN=mail.thelawrencegroup.com, issuer_CN=VeriSign Class 3 Secure Server CA, fingerprint=58:83:F8:69:1B:45:53:BA:21:36:19:01:B4:C9:7A:A9:54:62:79:57, pkey_fingerprint=84:43:0D:55:D9:F8:D3:C5:59:D3:9D:33:42:B3:2E:A4:9B:FE:96:4D posttls-finger: Untrusted TLS connection established to mail.thelawrencegroup.com[206.16.127.29]:25: unknown with cipher RC4-MD5 (128/128 bits) posttls-finger: > EHLO amnesiac.example posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1] posttls-finger: < 250-TURN posttls-finger: < 250-SIZE posttls-finger: < 250-ETRN posttls-finger: < 250-PIPELINING posttls-finger: < 250-DSN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8bitmime posttls-finger: < 250-BINARYMIME posttls-finger: < 250-CHUNKING posttls-finger: < 250-VRFY posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN posttls-finger: < 250-X-EXPS=LOGIN posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN posttls-finger: < 250-AUTH=LOGIN posttls-finger: < 250-X-LINK2STATE posttls-finger: < 250-XEXCH50 posttls-finger: < 250 OK posttls-finger: > QUIT posttls-finger: < 221 2.0.0 mail.thelawrencegroup.com Service closing transmission channel -- Bob Wooldridge bob...@kc0dxf.net Blog: http://kc0dxf.net/blog/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verisign Problem with smtp tls
On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote: > I recently upgraded my companies' mail server to 64 Debian Wheezy. I > am using the Openssl package which is version 1.0.1e-2. > > I am having problems when trying to send a message to one of our > business partners. The SMTP session appears to shut down and it > appears that my server is rejecting their certificate. > > Here is the openssl command I am giving to diagnose the problem and > it's output. Can anyone suggest a solution? It appears to me that > I may be lacking an intermediary certificate. How do I fix this if > this is the case? > > >openssl s_client -CApath /etc/ssl/certs/ -crlf -starttls smtp > >-connect mail.thelawrencegroup.com:25 The posttls-finger(1) utility, included with Postfix 2.11 snapshot source code, does a much better job of mail server TLS diagnostics. Their certificate is expired. Your MTA really ought to log the error reason. Consider a better MTA! :-) $ posttls-finger "[mail.thelawrencegroup.com]" posttls-finger: Connected to mail.thelawrencegroup.com[206.16.127.29]:25 posttls-finger: < 220 mail.thelawrencegroup.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Fri, 27 Dec 2013 13:13:52 -0600 posttls-finger: > EHLO amnesiac.example posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1] posttls-finger: < 250-TURN posttls-finger: < 250-SIZE posttls-finger: < 250-ETRN posttls-finger: < 250-PIPELINING posttls-finger: < 250-DSN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8bitmime posttls-finger: < 250-BINARYMIME posttls-finger: < 250-CHUNKING posttls-finger: < 250-VRFY posttls-finger: < 250-TLS posttls-finger: < 250-STARTTLS posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN posttls-finger: < 250-X-EXPS=LOGIN posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN posttls-finger: < 250-AUTH=LOGIN posttls-finger: < 250-X-LINK2STATE posttls-finger: < 250-XEXCH50 posttls-finger: < 250 OK posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 SMTP server ready posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25 Matched CommonName mail.thelawrencegroup.com posttls-finger: server certificate verification failed for mail.thelawrencegroup.com[206.16.127.29]:25: certificate has expired posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25: subject_CN=mail.thelawrencegroup.com, issuer_CN=VeriSign Class 3 Secure Server CA, fingerprint=58:83:F8:69:1B:45:53:BA:21:36:19:01:B4:C9:7A:A9:54:62:79:57, pkey_fingerprint=84:43:0D:55:D9:F8:D3:C5:59:D3:9D:33:42:B3:2E:A4:9B:FE:96:4D posttls-finger: Untrusted TLS connection established to mail.thelawrencegroup.com[206.16.127.29]:25: unknown with cipher RC4-MD5 (128/128 bits) posttls-finger: > EHLO amnesiac.example posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1] posttls-finger: < 250-TURN posttls-finger: < 250-SIZE posttls-finger: < 250-ETRN posttls-finger: < 250-PIPELINING posttls-finger: < 250-DSN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8bitmime posttls-finger: < 250-BINARYMIME posttls-finger: < 250-CHUNKING posttls-finger: < 250-VRFY posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN posttls-finger: < 250-X-EXPS=LOGIN posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN posttls-finger: < 250-AUTH=LOGIN posttls-finger: < 250-X-LINK2STATE posttls-finger: < 250-XEXCH50 posttls-finger: < 250 OK posttls-finger: > QUIT posttls-finger: < 221 2.0.0 mail.thelawrencegroup.com Service closing transmission channel -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: HPUX build test fails
On Fri, Dec 27, 2013, Alexandre Klein wrote: > Hey, > > When I'm building openssl 1.0.1e (32-bit) on HPUX (11.11), it failed here: > enveloped content test streaming S/MIME format, 3 recipients, key only > used: verify error > > Looks like it is from the file openssl/test/cms-test.pl > > > I'm doing: > Configure hpux-parisc2-cc --prefix=/somewhere/ no-shared no-zlib > no-zlib-dynamic no-rc5 no-idea no-ec no-ecdh no-ecdsa no-asm no-mdc2 no-bf > no-cast no-md2 no-rc4 no-jpake no-gmp > > I modified the file openssl/engines/Makefile: > - [ -z "$(ENGDIRS)" ] || for i in $(ENGDIRS) ; do \ > + [ -z "$(ENGDIRS)" ] || for i in "$(ENGDIRS)" ; do \ > > > You can see the full output here: > https://drive.google.com/file/d/0B17xCZmWiYuMV1FVUENJMjJlT0U/ > (please note that I'm using "ant" to execute the command to build openssl) > > Is there something I am missing ? > A file called "cms.err" should be present in the test directory after the failure. Can you post its contents? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Verisign Problem with smtp tls
I recently upgraded my companies' mail server to 64 Debian Wheezy. I am using the Openssl package which is version 1.0.1e-2. I am having problems when trying to send a message to one of our business partners. The SMTP session appears to shut down and it appears that my server is rejecting their certificate. Here is the openssl command I am giving to diagnose the problem and it's output. Can anyone suggest a solution? It appears to me that I may be lacking an intermediary certificate. How do I fix this if this is the case? openssl s_client -CApath /etc/ssl/certs/ -crlf -starttls smtp -connect mail.thelawrencegroup.com:25 CONNECTED(0003) depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)05, CN = VeriSign Class 3 Secure Server CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=Missouri/L=Saint Louis/O=The Lawrence Group/OU=IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=mail.thelawrencegroup.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -BEGIN CERTIFICATE- MIIFRTCCBC2gAwIBAgIQN9yAwL+UVDUkrxwUKIvOGTANBgkqhkiG9w0BAQUFADCB sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA1MTIxNTAwMDAw MFoXDTA4MTIyMTIzNTk1OVowgbkxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNaXNz b3VyaTEUMBIGA1UEBxQLU2FpbnQgTG91aXMxGzAZBgNVBAoUElRoZSBMYXdyZW5j ZSBHcm91cDELMAkGA1UECxQCSVQxMzAxBgNVBAsUKlRlcm1zIG9mIHVzZSBhdCB3 d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEiMCAGA1UEAxQZbWFpbC50aGVsYXdy ZW5jZWdyb3VwLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsHXWtCB1 OyKpgnuBF+Yis9msWrTOboMO50vYVPndtW1ILmY7hGy5glCLV6W2hu0ReUfTJHNd jV4m4a9pGu8nNEYajQALQuMB/9FwNmV24ZksQ/GkFyGKywvcsDNUrP1bsX+DmISW Jzc5sNRkw9JO7tuZ9Hs0KRSmxCS5Ozm/SGcCAwEAAaOCAdIwggHOMAkGA1UdEwQC MAAwCwYDVR0PBAQDAgWgMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9TVlJTZWN1 cmUtY3JsLnZlcmlzaWduLmNvbS9TVlJTZWN1cmUyMDA1LmNybDBEBgNVHSAEPTA7 MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlz aWduLmNvbS9ycGEwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1Ud IwQYMBaAFG/sr6DdiqTv9SoQZy0/VYK81+8lMHkGCCsGAQUFBwEBBG0wazAkBggr BgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEMGCCsGAQUFBzAChjdo dHRwOi8vU1ZSU2VjdXJlLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlMjAwNS1h aWEuY2VyMG0GCCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8w BwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZl cmlzaWduLmNvbS92c2xvZ28uZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQBAdNBhhrjm oVuYe5z7aHCBWB6Y3bl0UwIeuNNRCjwtbIBcFO1UPchr8NBuX8DI4Bw/Ek3PhQQL b/3IUFFn7uXfs8jO3R3NJUzMo1jDajhzBV9dE0aOuvYzuHdqws/rUm0uOUAmR1ob 50rZ/kTcCGemrvrzwf/bxLP2fbcAlaqHhvyxbsUPrX4cAc1DdqPTdMUxKSCYSBSq WiamaopkD5I5dv/116qF1VVyGtKYduZ+7cC/EPwvnFYJa8P/LhKbnA2xkVMf2pHE OJOSu//PAPLg/bOxHCh8Yurgyxgv5Dn1UtgTep5RSmrYac+EV3akkOuwzBPl2h8c dbImJ5QeqOFu -END CERTIFICATE- subject=/C=US/ST=Missouri/L=Saint Louis/O=The Lawrence Group/OU=IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=mail.thelawrencegroup.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA --- No client certificate CA names sent --- SSL handshake has read 3180 bytes and written 545 bytes --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: DES-CBC3-SHA Session-ID: 4B17CCB1A39FEAE5E1682BE3F44E70362A2247CD6F6F9E0195D64323602C Session-ID-ctx: Master-Key: 4F89ADCC6069F833996E892E09D270497A36FAF8B26C8F246130D35FC431BA56C11EC2793ABFDECCC6342B583C311A92 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1388170612 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- 250 OK -- Bob Wooldridge bob...@kc0dxf.net Blog: http://kc0dxf.net/blog/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
HPUX build test fails
Hey, When I'm building openssl 1.0.1e (32-bit) on HPUX (11.11), it failed here: enveloped content test streaming S/MIME format, 3 recipients, key only used: verify error Looks like it is from the file openssl/test/cms-test.pl I'm doing: Configure hpux-parisc2-cc --prefix=/somewhere/ no-shared no-zlib no-zlib-dynamic no-rc5 no-idea no-ec no-ecdh no-ecdsa no-asm no-mdc2 no-bf no-cast no-md2 no-rc4 no-jpake no-gmp I modified the file openssl/engines/Makefile: - [ -z "$(ENGDIRS)" ] || for i in $(ENGDIRS) ; do \ + [ -z "$(ENGDIRS)" ] || for i in "$(ENGDIRS)" ; do \ You can see the full output here: https://drive.google.com/file/d/0B17xCZmWiYuMV1FVUENJMjJlT0U/ (please note that I'm using "ant" to execute the command to build openssl) Is there something I am missing ? Note: I'm building static libraries Alexandre Klein Tanuki Software, Ltd.
