[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

incoming TLS sessions failures



I am experiencing problems with incming TLS sessions, apparently only
with sessions that originate from universities in Germany.

This is excerpt from smtpserver.conf:

PARAM  use-tls
##PARAM listen-ssmtp    # A deprecated TCP/465 port listener for SSL/SMTP
##PARAM outlook-tls-bug # Variant of ssmtp
#
PARAM  tls-CAfile      $MAILVAR/db/smtpserver-CAcert.pem
PARAM  tls-cert-file   $MAILVAR/db/smtpserver-cert.pem
PARAM  tls-key-file    $MAILVAR/db/smtpserver-key.pem
#  # If system default SSL-session-cache is to be used ?
#PARAM  tls-use-scache
#PARAM  tls-scache-timeout 3600 # (cache timeout in seconds)
#  # Then some futher thoughs that may materialize some time..
PARAM tls-loglevel      1
PARAM tls-ccert-vd      1
PARAM tls-ask-cert      1
#PARAM tls-require-cert 0
##PARAM tls-CApath ... (somewhen: ways to verify client's certificates)
##PARAM tls-enforce-tls 1

My server ceritificate is signed with local ("unofficial") authority.

And this is a typical session:

YUZ7E8b0000#    connection from math-s.math.tu-cottbus.de ipcnt 1 childs 29 ide
nt: NO-IDENT-SERVICE[2] whoson: 
YUZ7E8b0000w    220 gnome05.net.rol.ru ZMailer Server 2.99.56-pre3 #24 ESMTP+ID
ENT ready at Tue, 25 Mar 2003 23:25:59 +0300
YUZ7E8b0000#    remote from [141.43.5.40]:51649
YUZ7E8b0000r    EHLO Math.TU-Cottbus.DE
YUZ7E8b0000w    250-gnome05.net.rol.ru expected "EHLO math-s.math.tu-cottbus.de
"
YUZ7E8b0000w    250-SIZE 10000000
YUZ7E8b0000w    250-8BITMIME
YUZ7E8b0000w    250-PIPELINING
YUZ7E8b0000w    250-CHUNKING
YUZ7E8b0000w    250-ENHANCEDSTATUSCODES
YUZ7E8b0000w    250-DSN
YUZ7E8b0000w    250-X-RCPTLIMIT 10000
YUZ7E8b0000w    250-STARTTLS
YUZ7E8b0000w    250-ETRN
YUZ7E8b0000w    250 HELP
YUZ7E8b0000r    STARTTLS
YUZ7E8b0000w    220 Ready to start TLS
YUZ7E8b0000#    SSL_accept:error in SSLv2/v3 read client hello A
YUZ7E8b0000#    SSL_accept:error in SSLv3 read client certificate A
YUZ7E8b0000#    SSL_accept:error in SSLv3 read client certificate A
YUZ7E8b0000#    SSL_accept:error in SSLv3 read client certificate A
YUZ7E8b0000#    SSL_accept:error in SSLv3 read client certificate A
YUZ7E8b0000#    SSL_accept:error in SSLv3 read client certificate A
YUZ7E8b0000#    Client cert verify depth=2 /C=DE/O=Deutsches Forschungsnetz/OU=
DFN-CERT GmbH/OU=DFN-PCA/CN=DFN Toplevel Certification Authority/Email=certify@
pca.dfn.de
YUZ7E8b0000#    verify error:num=19:self signed certificate in certificate chai
n
YUZ7E8b0000#    verify return:0
YUZ7E8b0000#    SSL3 alert write:fatal:unknown CA
YUZ7E8b0000#    SSL_accept:error in SSLv3 read client certificate B
YUZ7E8b0000#    SSL_accept error -1/1
YUZ7E8b0000#    20255:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:n
o certificate returned:s3_srvr.c:1801:
YUZ7E8b0000#    SSL session removed
YUZ7E8b0000#    TLS stopping; mode was: OFF

Is the param combination appropriate to *ask* for client cert, do not
*enforce* its "veriafiability"?  What would be the "right" way to allow
incoming sessions with unverifiable certificates?

Eugene

-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi