[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TLS apparently does not work
On Thu, Sep 02, 1999 at 11:14:27PM +0400, Eugene Crosser wrote:
> Looks like in current CVS versions, receiveing mail over SSL/TLS is
> broken. When I start sending mail, it negotiates and then
>
> 04117XLRW# verify return:1
> 04117XLRW# subject=/C=RU/L=/O=/OU=/CN=Eugene
> Crosser/Email=crosser@online.ru
> 04117XLRW# issuer=/C=RU/O=Sovam Teleport/CN=Personal Certification
> Authority/Email=cert@online.ru
> 04117XLRW# fingerprint=AC_07_CE_02_60_29_ED_D3_B6_0E_A6_DA_37_20_4D_C6
> 04117XLRW# TLS connection established
> 04117XLRW# Cipher: RC4-MD5 keybits 128 version TLSv1/SSLv3
> 04117XLRW# -- pipeline input exists 37 bytes
Huh ? Hmm.. I don't have a personal certificate myself.
Which OpenSSL version you have ?
Could you peek into running smtpserver, and look what that
arrived data is at the buffer ?
Just GDB in, ask 'where', and first module within smtpserver
should be either Z_read(), or s_gets(). At least at s_gets(),
you should see the buffer.
> ... stops here.
> When I cancel sending (i.e. Netscape closes the socket ungracefully),
> this appears:
>
> 04117XLRW# SSL3 alert write:fatal:bad record mac
> 04117XLRW# SSL3 alert read:unknown:unknown
> 04117XLRWr vb
> 04117XLRWw 500-5.5.2 ^
> 04117XLRWw 500 5.5.2 Illegal input characters: Control chars on SMTP input
> 04117XLRW# Session closed w/o QUIT
> 04117XLRW# TLS stopping; mode was: ON
>
> 2.99.51-patch1 that I have running in production *does* work, so this
> is not a Netscape glitch.
I am not so sure.. My own netscape does only 40-bit ciphers,
and that is what I have tested.
> (although, in 2.99.51-patch1 authorization
> still does not work for me apparently because it uses getspnam() instead
> of getpwnam(), and I do not have replacement function for it... IMHO
> calling getspnam just to check the password is quite unwise. Getpwnam
> *does* return password from the shadow file in the systems that have
> shadow. Getspnam is only needed if you want password expiration
> attributes etc.)
Thank you for clarification. Thus even at shadowy systems
I should be able to just ignore getspnam() ?
> Eugene
--
/Matti Aarnio <mea@nic.funet.fi>