Re: Verisign Problem with smtp tls

2013-12-27 Thread Viktor Dukhovni
On Fri, Dec 27, 2013 at 04:11:40PM -0600, Bobber wrote: > > > TLS started w/ cipher DES-CBC3-SHA > > > >There's your problem! This server (likely Exchange 2003) has a > >broken implementation of 3DES CBC padding (search Postfix users > >archives for my posts on the subject), and your cipher list

Re: Verisign Problem with smtp tls

2013-12-27 Thread Viktor Dukhovni
On Fri, Dec 27, 2013 at 09:39:52PM +, Viktor Dukhovni wrote: > On Fri, Dec 27, 2013 at 03:28:46PM -0600, Bobber wrote: > > > >=== TLS started w/ cipher DES-CBC3-SHA > > >=== TLS peer subject DN="/C=US/ST=Missouri/L=Saint Louis/O=The > > >Lawrence Group/OU=IT/OU=Terms of use at www.verisign.co

Re: Verisign Problem with smtp tls

2013-12-27 Thread Bobber
On 12/27/2013 03:39 PM, Viktor Dukhovni wrote: On Fri, Dec 27, 2013 at 03:28:46PM -0600, Bobber wrote: === TLS started w/ cipher DES-CBC3-SHA === TLS peer subject DN="/C=US/ST=Missouri/L=Saint Louis/O=The Lawrence Group/OU=IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=mail.thelawrencegrou

Re: Verisign Problem with smtp tls

2013-12-27 Thread Viktor Dukhovni
On Fri, Dec 27, 2013 at 03:28:46PM -0600, Bobber wrote: > >=== TLS started w/ cipher DES-CBC3-SHA > >=== TLS peer subject DN="/C=US/ST=Missouri/L=Saint Louis/O=The > >Lawrence Group/OU=IT/OU=Terms of use at www.verisign.com/rpa > >(c)05/CN=mail.thelawrencegroup.com" There's your problem! This se

Re: Verisign Problem with smtp tls

2013-12-27 Thread Bobber
On 12/27/2013 02:22 PM, Viktor Dukhovni wrote: You're posting to the wrong forum. The problem is not OpenSSL, rather you have an updated release of your MTA. (Is it Exim or Postfix? Go to the corresponding mailing list). OpenSSL performs whatever certificate verification your MTA asks for. Per

Re: Verisign Problem with smtp tls

2013-12-27 Thread Viktor Dukhovni
On Fri, Dec 27, 2013 at 02:07:56PM -0600, Bobber wrote: > Yes, thanks Andrew, I got it. I see that it is expired. I am still a > bit baffled. I upgraded my mail server just a couple of weeks ago > from Debian Squeeze. Everything was fine before then. Is there a > different check involved in the la

Re: Verisign Problem with smtp tls

2013-12-27 Thread Viktor Dukhovni
On Fri, Dec 27, 2013 at 02:54:55PM -0500, Patrick Patterson wrote: > Why does no-one else notice? Probably because you've got your > server set to actually validate TLS certs, as opposed to most of > the world that doesn't. :) With SMTP, PKIX certificate verification is pointless without explicit

Re: Verisign Problem with smtp tls

2013-12-27 Thread Robert W Weaver
Bobber wrote on 12/27/2013 02:47:47 PM: > I don't see anywhere that it says expired other than this utility. How > can I verify that it is really expired? In case you don't trust your openssl install, here is an easy approach using windows: 1. Select everything between -BEGIN CERTIFICATE---

Re: Verisign Problem with smtp tls

2013-12-27 Thread Bobber
On 12/27/2013 01:54 PM, andrew cooke wrote: On Fri, Dec 27, 2013 at 04:53:41PM -0300, Andrew Cooke wrote: i am not following this in any detail, but if you look at the certificate you included in your original email it expired in 2008. just look at it with openssl -text -in openssl

Re: Verisign Problem with smtp tls

2013-12-27 Thread Patrick Patterson
Hey there... On 2013-12-27, at 2:47 PM, Bobber wrote: > > On 12/27/2013 01:29 PM, Viktor Dukhovni wrote: >> On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote: >> >>> I recently upgraded my companies' mail server to 64 Debian Wheezy. I >>> am using the Openssl package which is version 1.0.

Re: Verisign Problem with smtp tls

2013-12-27 Thread Bobber
On 12/27/2013 01:53 PM, andrew cooke wrote: i am not following this in any detail, but if you look at the certificate you included in your original email it expired in 2008. just look at it with openssl -text -in Ok, that's good. Thanks. sorry if i'm jumping into something i've misund

Re: Verisign Problem with smtp tls

2013-12-27 Thread andrew cooke
On Fri, Dec 27, 2013 at 04:53:41PM -0300, Andrew Cooke wrote: > > i am not following this in any detail, but if you look at the certificate you > included in your original email it expired in 2008. just look at it with > >openssl -text -in openssl x509 -text -in > sorry if i'm jump

Re: Verisign Problem with smtp tls

2013-12-27 Thread andrew cooke
i am not following this in any detail, but if you look at the certificate you included in your original email it expired in 2008. just look at it with openssl -text -in sorry if i'm jumping into something i've misunderstood, andrew On Fri, Dec 27, 2013 at 01:47:47PM -0600, Bobber wrote:

Re: Verisign Problem with smtp tls

2013-12-27 Thread Bobber
On 12/27/2013 01:29 PM, Viktor Dukhovni wrote: On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote: I recently upgraded my companies' mail server to 64 Debian Wheezy. I am using the Openssl package which is version 1.0.1e-2. I am having problems when trying to send a message to one of our

Re: Verisign Problem with smtp tls

2013-12-27 Thread Viktor Dukhovni
On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote: > I recently upgraded my companies' mail server to 64 Debian Wheezy. I > am using the Openssl package which is version 1.0.1e-2. > > I am having problems when trying to send a message to one of our > business partners. The SMTP session appe

Re: HPUX build test fails

2013-12-27 Thread Dr. Stephen Henson
On Fri, Dec 27, 2013, Alexandre Klein wrote: > Hey, > > When I'm building openssl 1.0.1e (32-bit) on HPUX (11.11), it failed here: > enveloped content test streaming S/MIME format, 3 recipients, key only > used: verify error > > Looks like it is from the file openssl/test/cms-test.pl > > > I'm

Verisign Problem with smtp tls

2013-12-27 Thread Bobber
I recently upgraded my companies' mail server to 64 Debian Wheezy. I am using the Openssl package which is version 1.0.1e-2. I am having problems when trying to send a message to one of our business partners. The SMTP session appears to shut down and it appears that my server is rejecting the

HPUX build test fails

2013-12-27 Thread Alexandre Klein
Hey, When I'm building openssl 1.0.1e (32-bit) on HPUX (11.11), it failed here: enveloped content test streaming S/MIME format, 3 recipients, key only used: verify error Looks like it is from the file openssl/test/cms-test.pl I'm doing: Configure hpux-parisc2-cc --prefix=/somewhere/ no-shared n