[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TLS apparently does not work



On Thu, Sep 02, 1999 at 11:14:27PM +0400, Eugene Crosser wrote:
> Looks like in current CVS versions, receiveing mail over SSL/TLS is
> broken.  When I start sending mail, it negotiates and then
> 
> 04117XLRW#      verify return:1
> 04117XLRW#      subject=/C=RU/L=/O=/OU=/CN=Eugene
> Crosser/Email=crosser@online.ru
> 04117XLRW#      issuer=/C=RU/O=Sovam Teleport/CN=Personal Certification
> Authority/Email=cert@online.ru
> 04117XLRW#      fingerprint=AC_07_CE_02_60_29_ED_D3_B6_0E_A6_DA_37_20_4D_C6
> 04117XLRW#      TLS connection established
> 04117XLRW#      Cipher: RC4-MD5 keybits 128 version TLSv1/SSLv3
> 04117XLRW#      -- pipeline input exists 37 bytes

	Huh ?   Hmm..  I don't have a personal certificate myself.
	Which OpenSSL version you have ?

	Could you peek into running smtpserver, and look what that
	arrived data is at the buffer ?

	Just GDB in, ask 'where', and first module within smtpserver
	should be either Z_read(), or  s_gets().  At least at  s_gets(),
	you should see the buffer.

> ... stops here.
> When I cancel sending (i.e. Netscape closes the socket ungracefully),
> this appears:
> 
> 04117XLRW#      SSL3 alert write:fatal:bad record mac
> 04117XLRW#      SSL3 alert read:unknown:unknown
> 04117XLRWr      vb
> 04117XLRWw      500-5.5.2 ^
> 04117XLRWw      500 5.5.2 Illegal input characters: Control chars on SMTP input
> 04117XLRW#      Session closed w/o QUIT
> 04117XLRW#      TLS stopping; mode was: ON
> 
> 2.99.51-patch1 that I have running in production *does* work, so this
> is not a Netscape glitch.

	I am not so sure..  My own netscape does only 40-bit ciphers,
	and that is what I have tested.

>         (although, in 2.99.51-patch1 authorization
> still does not work for me apparently because it uses getspnam() instead
> of getpwnam(), and I do not have replacement function for it...  IMHO
> calling getspnam just to check the password is quite unwise.  Getpwnam
> *does* return password from the shadow file in the systems that have
> shadow.  Getspnam is only needed if you want password expiration
> attributes etc.)

	Thank you for clarification.  Thus even at shadowy systems
	I should be able to just ignore  getspnam()  ?

> Eugene

-- 
/Matti Aarnio	<mea@nic.funet.fi>