Re: Verisign Problem with smtp tls
On 12/27/2013 03:39 PM, Viktor Dukhovni wrote: There's your problem! This server (likely Exchange 2003) has a broken implementation of 3DES CBC padding (search Postfix users archives for my posts on the subject), and your cipher list is either long enough to cause it to not see RC4-SHA and RC4-MD5 or you've disabled RC4 (directly, or by only enabling HIGH grade ciphers). Exchange 2003 servers can't do better than RC4-SHA. Thanks very much for your help Viktor. I was able to specify the RC4-MD5 cipher and it works. I am using Qmail with the John Simpson patch set by the way. There is a control file (tlsclientcipher) which John had not documented but is there. After some discussion with another qmail user, he told me about it and sure enough it works. Any suggestions for what ciphers to put in the list besides RC4-MD5? -- Bob Wooldridge Blog: http://kc0dxf.net/blog
Re: Verisign Problem with smtp tls
On 12/28/2013 12:51 PM, Viktor Dukhovni wrote: Does this modify the ciphers used for all connections, or just for the server in question? All connections. Any suggestions for what ciphers to put in the list besides RC4-MD5? If you read my previous responses on this thread, you'll notice I recommended: aRSA+AES128+kEECDH:aRSA+AES128+kEDH:aRSA+AES128+kRSA:RC4-SHA:@STRENGTH as a compact OpenSSL cipherlist that inter-operates with Exchange and yet yields AES with forward-secrecy whenever possible. If you're not authenticating the SMTP server (almost nobody is), you can allow both anonymous and ECDSA ciphers without bloating the list too much: aNULL:-aNULL:AES128+kEECDH:AES128+kEDH:AES128+kRSA:RC4-SHA this prefers aNULL, since you don't check the certs anyway. Good point, thanks for these suggestions. I will try both and see how it goes. -- Bob Wooldridge Blog: http://kc0dxf.net/blog
Verisign Problem with smtp tls
I recently upgraded my companies' mail server to 64 Debian Wheezy. I am using the Openssl package which is version 1.0.1e-2. I am having problems when trying to send a message to one of our business partners. The SMTP session appears to shut down and it appears that my server is rejecting their certificate. Here is the openssl command I am giving to diagnose the problem and it's output. Can anyone suggest a solution? It appears to me that I may be lacking an intermediary certificate. How do I fix this if this is the case? openssl s_client -CApath /etc/ssl/certs/ -crlf -starttls smtp -connect mail.thelawrencegroup.com:25 CONNECTED(0003) depth=1 C = US, O = VeriSign, Inc., OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)05, CN = VeriSign Class 3 Secure Server CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=Missouri/L=Saint Louis/O=The Lawrence Group/OU=IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=mail.thelawrencegroup.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -BEGIN CERTIFICATE- MIIFRTCCBC2gAwIBAgIQN9yAwL+UVDUkrxwUKIvOGTANBgkqhkiG9w0BAQUFADCB sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA1MTIxNTAwMDAw MFoXDTA4MTIyMTIzNTk1OVowgbkxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNaXNz b3VyaTEUMBIGA1UEBxQLU2FpbnQgTG91aXMxGzAZBgNVBAoUElRoZSBMYXdyZW5j ZSBHcm91cDELMAkGA1UECxQCSVQxMzAxBgNVBAsUKlRlcm1zIG9mIHVzZSBhdCB3 d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEiMCAGA1UEAxQZbWFpbC50aGVsYXdy ZW5jZWdyb3VwLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsHXWtCB1 OyKpgnuBF+Yis9msWrTOboMO50vYVPndtW1ILmY7hGy5glCLV6W2hu0ReUfTJHNd jV4m4a9pGu8nNEYajQALQuMB/9FwNmV24ZksQ/GkFyGKywvcsDNUrP1bsX+DmISW Jzc5sNRkw9JO7tuZ9Hs0KRSmxCS5Ozm/SGcCAwEAAaOCAdIwggHOMAkGA1UdEwQC MAAwCwYDVR0PBAQDAgWgMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9TVlJTZWN1 cmUtY3JsLnZlcmlzaWduLmNvbS9TVlJTZWN1cmUyMDA1LmNybDBEBgNVHSAEPTA7 MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlz aWduLmNvbS9ycGEwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1Ud IwQYMBaAFG/sr6DdiqTv9SoQZy0/VYK81+8lMHkGCCsGAQUFBwEBBG0wazAkBggr BgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEMGCCsGAQUFBzAChjdo dHRwOi8vU1ZSU2VjdXJlLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlMjAwNS1h aWEuY2VyMG0GCCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8w BwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZl cmlzaWduLmNvbS92c2xvZ28uZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQBAdNBhhrjm oVuYe5z7aHCBWB6Y3bl0UwIeuNNRCjwtbIBcFO1UPchr8NBuX8DI4Bw/Ek3PhQQL b/3IUFFn7uXfs8jO3R3NJUzMo1jDajhzBV9dE0aOuvYzuHdqws/rUm0uOUAmR1ob 50rZ/kTcCGemrvrzwf/bxLP2fbcAlaqHhvyxbsUPrX4cAc1DdqPTdMUxKSCYSBSq WiamaopkD5I5dv/116qF1VVyGtKYduZ+7cC/EPwvnFYJa8P/LhKbnA2xkVMf2pHE OJOSu//PAPLg/bOxHCh8Yurgyxgv5Dn1UtgTep5RSmrYac+EV3akkOuwzBPl2h8c dbImJ5QeqOFu -END CERTIFICATE- subject=/C=US/ST=Missouri/L=Saint Louis/O=The Lawrence Group/OU=IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=mail.thelawrencegroup.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA --- No client certificate CA names sent --- SSL handshake has read 3180 bytes and written 545 bytes --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: DES-CBC3-SHA Session-ID: 4B17CCB1A39FEAE5E1682BE3F44E70362A2247CD6F6F9E0195D64323602C Session-ID-ctx: Master-Key: 4F89ADCC6069F833996E892E09D270497A36FAF8B26C8F246130D35FC431BA56C11EC2793ABFDECCC6342B583C311A92 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1388170612 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- 250 OK -- Bob Wooldridge bob...@kc0dxf.net Blog: http://kc0dxf.net/blog/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verisign Problem with smtp tls
On 12/27/2013 01:29 PM, Viktor Dukhovni wrote: On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote: I recently upgraded my companies' mail server to 64 Debian Wheezy. I am using the Openssl package which is version 1.0.1e-2. I am having problems when trying to send a message to one of our business partners. The SMTP session appears to shut down and it appears that my server is rejecting their certificate. Here is the openssl command I am giving to diagnose the problem and it's output. Can anyone suggest a solution? It appears to me that I may be lacking an intermediary certificate. How do I fix this if this is the case? openssl s_client -CApath /etc/ssl/certs/ -crlf -starttls smtp -connect mail.thelawrencegroup.com:25 The posttls-finger(1) utility, included with Postfix 2.11 snapshot source code, does a much better job of mail server TLS diagnostics. Their certificate is expired. Your MTA really ought to log the error reason. Consider a better MTA! :-) I don't see anywhere that it says expired other than this utility. How can I verify that it is really expired? These guys do business with lots of other people but have not noticed anything except with us. The openssl error code 20 indicates an improper intermediate CA from what I can find. Also using this site indicates no problem: http://www.checktls.com/testreceiver.html Is there another way to verify the expiration? $ posttls-finger [mail.thelawrencegroup.com] posttls-finger: Connected to mail.thelawrencegroup.com[206.16.127.29]:25 posttls-finger: 220 mail.thelawrencegroup.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Fri, 27 Dec 2013 13:13:52 -0600 posttls-finger: EHLO amnesiac.example posttls-finger: 250-mail.thelawrencegroup.com Hello [192.0.2.1] posttls-finger: 250-TURN posttls-finger: 250-SIZE posttls-finger: 250-ETRN posttls-finger: 250-PIPELINING posttls-finger: 250-DSN posttls-finger: 250-ENHANCEDSTATUSCODES posttls-finger: 250-8bitmime posttls-finger: 250-BINARYMIME posttls-finger: 250-CHUNKING posttls-finger: 250-VRFY posttls-finger: 250-TLS posttls-finger: 250-STARTTLS posttls-finger: 250-X-EXPS GSSAPI NTLM LOGIN posttls-finger: 250-X-EXPS=LOGIN posttls-finger: 250-AUTH GSSAPI NTLM LOGIN posttls-finger: 250-AUTH=LOGIN posttls-finger: 250-X-LINK2STATE posttls-finger: 250-XEXCH50 posttls-finger: 250 OK posttls-finger: STARTTLS posttls-finger: 220 2.0.0 SMTP server ready posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25 Matched CommonName mail.thelawrencegroup.com posttls-finger: server certificate verification failed for mail.thelawrencegroup.com[206.16.127.29]:25: certificate has expired posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25: subject_CN=mail.thelawrencegroup.com, issuer_CN=VeriSign Class 3 Secure Server CA, fingerprint=58:83:F8:69:1B:45:53:BA:21:36:19:01:B4:C9:7A:A9:54:62:79:57, pkey_fingerprint=84:43:0D:55:D9:F8:D3:C5:59:D3:9D:33:42:B3:2E:A4:9B:FE:96:4D posttls-finger: Untrusted TLS connection established to mail.thelawrencegroup.com[206.16.127.29]:25: unknown with cipher RC4-MD5 (128/128 bits) posttls-finger: EHLO amnesiac.example posttls-finger: 250-mail.thelawrencegroup.com Hello [192.0.2.1] posttls-finger: 250-TURN posttls-finger: 250-SIZE posttls-finger: 250-ETRN posttls-finger: 250-PIPELINING posttls-finger: 250-DSN posttls-finger: 250-ENHANCEDSTATUSCODES posttls-finger: 250-8bitmime posttls-finger: 250-BINARYMIME posttls-finger: 250-CHUNKING posttls-finger: 250-VRFY posttls-finger: 250-X-EXPS GSSAPI NTLM LOGIN posttls-finger: 250-X-EXPS=LOGIN posttls-finger: 250-AUTH GSSAPI NTLM LOGIN posttls-finger: 250-AUTH=LOGIN posttls-finger: 250-X-LINK2STATE posttls-finger: 250-XEXCH50 posttls-finger: 250 OK posttls-finger: QUIT posttls-finger: 221 2.0.0 mail.thelawrencegroup.com Service closing transmission channel -- Bob Wooldridge bob...@kc0dxf.net Blog: http://kc0dxf.net/blog/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verisign Problem with smtp tls
On 12/27/2013 01:53 PM, andrew cooke wrote: i am not following this in any detail, but if you look at the certificate you included in your original email it expired in 2008. just look at it with openssl -text -in some file Ok, that's good. Thanks. sorry if i'm jumping into something i've misunderstood, andrew -- Bob Wooldridge bob...@kc0dxf.net Blog: http://kc0dxf.net/blog/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verisign Problem with smtp tls
On 12/27/2013 01:54 PM, andrew cooke wrote: On Fri, Dec 27, 2013 at 04:53:41PM -0300, Andrew Cooke wrote: i am not following this in any detail, but if you look at the certificate you included in your original email it expired in 2008. just look at it with openssl -text -in some file openssl x509 -text -in some file Yes, thanks Andrew, I got it. I see that it is expired. I am still a bit baffled. I upgraded my mail server just a couple of weeks ago from Debian Squeeze. Everything was fine before then. Is there a different check involved in the latest openssl? -- Bob Wooldridge bob...@kc0dxf.net Blog: http://kc0dxf.net/blog/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verisign Problem with smtp tls
On 12/27/2013 02:22 PM, Viktor Dukhovni wrote: You're posting to the wrong forum. The problem is not OpenSSL, rather you have an updated release of your MTA. (Is it Exim or Postfix? Go to the corresponding mailing list). OpenSSL performs whatever certificate verification your MTA asks for. Perhaps your Debian software upgrade modified your MTA configuration, or your new MTA is not backwards compatible in its TLS support (this would rule out Postfix, which is). Here is output from the swaks command line tool. You can see at the end that it is the remote server which is closing the connection and not my MTA: swaks -tls --from r...@edm-inc.com --to nosuchu...@thelawrencegroup.com --server mail.thelawrencegroup.com === Trying mail.thelawrencegroup.com:25... === Connected to mail.thelawrencegroup.com. - 220 mail.thelawrencegroup.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Fri, 27 Dec 2013 15:22:54 -0600 - EHLO mail.edm-inc.com - 250-mail.thelawrencegroup.com Hello [68.143.19.38] - 250-TURN - 250-SIZE - 250-ETRN - 250-PIPELINING - 250-DSN - 250-ENHANCEDSTATUSCODES - 250-8bitmime - 250-BINARYMIME - 250-CHUNKING - 250-VRFY - 250-TLS - 250-STARTTLS - 250-X-EXPS GSSAPI NTLM LOGIN - 250-X-EXPS=LOGIN - 250-AUTH GSSAPI NTLM LOGIN - 250-AUTH=LOGIN - 250-X-LINK2STATE - 250-XEXCH50 - 250 OK - STARTTLS - 220 2.0.0 SMTP server ready === TLS started w/ cipher DES-CBC3-SHA === TLS peer subject DN=/C=US/ST=Missouri/L=Saint Louis/O=The Lawrence Group/OU=IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=mail.thelawrencegroup.com ~ EHLO mail.edm-inc.com ~ 250-mail.thelawrencegroup.com Hello [68.143.19.38] ~ 250-TURN ~ 250-SIZE ~ 250-ETRN ~ 250-PIPELINING ~ 250-DSN ~ 250-ENHANCEDSTATUSCODES ~ 250-8bitmime ~ 250-BINARYMIME ~ 250-CHUNKING ~ 250-VRFY ~ 250-X-EXPS GSSAPI NTLM LOGIN ~ 250-X-EXPS=LOGIN ~ 250-AUTH GSSAPI NTLM LOGIN ~ 250-AUTH=LOGIN ~ 250-X-LINK2STATE ~ 250-XEXCH50 ~ 250 OK ~ MAIL FROM:r...@edm-inc.com *** Remote host closed connection unexpectedly. -- Bob Wooldridge Blog: http://kc0dxf.net/blog
Re: Verisign Problem with smtp tls
On 12/27/2013 03:39 PM, Viktor Dukhovni wrote: On Fri, Dec 27, 2013 at 03:28:46PM -0600, Bobber wrote: === TLS started w/ cipher DES-CBC3-SHA === TLS peer subject DN=/C=US/ST=Missouri/L=Saint Louis/O=The Lawrence Group/OU=IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=mail.thelawrencegroup.com There's your problem! This server (likely Exchange 2003) has a broken implementation of 3DES CBC padding (search Postfix users archives for my posts on the subject), and your cipher list is either long enough to cause it to not see RC4-SHA and RC4-MD5 or you've disabled RC4 (directly, or by only enabling HIGH grade ciphers). Does Micro$oft have a fix for this? -- Bob Wooldridge Blog: http://kc0dxf.net/blog