[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
incoming TLS sessions failures
I am experiencing problems with incming TLS sessions, apparently only
with sessions that originate from universities in Germany.
This is excerpt from smtpserver.conf:
PARAM use-tls
##PARAM listen-ssmtp # A deprecated TCP/465 port listener for SSL/SMTP
##PARAM outlook-tls-bug # Variant of ssmtp
#
PARAM tls-CAfile $MAILVAR/db/smtpserver-CAcert.pem
PARAM tls-cert-file $MAILVAR/db/smtpserver-cert.pem
PARAM tls-key-file $MAILVAR/db/smtpserver-key.pem
# # If system default SSL-session-cache is to be used ?
#PARAM tls-use-scache
#PARAM tls-scache-timeout 3600 # (cache timeout in seconds)
# # Then some futher thoughs that may materialize some time..
PARAM tls-loglevel 1
PARAM tls-ccert-vd 1
PARAM tls-ask-cert 1
#PARAM tls-require-cert 0
##PARAM tls-CApath ... (somewhen: ways to verify client's certificates)
##PARAM tls-enforce-tls 1
My server ceritificate is signed with local ("unofficial") authority.
And this is a typical session:
YUZ7E8b0000# connection from math-s.math.tu-cottbus.de ipcnt 1 childs 29 ide
nt: NO-IDENT-SERVICE[2] whoson:
YUZ7E8b0000w 220 gnome05.net.rol.ru ZMailer Server 2.99.56-pre3 #24 ESMTP+ID
ENT ready at Tue, 25 Mar 2003 23:25:59 +0300
YUZ7E8b0000# remote from [141.43.5.40]:51649
YUZ7E8b0000r EHLO Math.TU-Cottbus.DE
YUZ7E8b0000w 250-gnome05.net.rol.ru expected "EHLO math-s.math.tu-cottbus.de
"
YUZ7E8b0000w 250-SIZE 10000000
YUZ7E8b0000w 250-8BITMIME
YUZ7E8b0000w 250-PIPELINING
YUZ7E8b0000w 250-CHUNKING
YUZ7E8b0000w 250-ENHANCEDSTATUSCODES
YUZ7E8b0000w 250-DSN
YUZ7E8b0000w 250-X-RCPTLIMIT 10000
YUZ7E8b0000w 250-STARTTLS
YUZ7E8b0000w 250-ETRN
YUZ7E8b0000w 250 HELP
YUZ7E8b0000r STARTTLS
YUZ7E8b0000w 220 Ready to start TLS
YUZ7E8b0000# SSL_accept:error in SSLv2/v3 read client hello A
YUZ7E8b0000# SSL_accept:error in SSLv3 read client certificate A
YUZ7E8b0000# SSL_accept:error in SSLv3 read client certificate A
YUZ7E8b0000# SSL_accept:error in SSLv3 read client certificate A
YUZ7E8b0000# SSL_accept:error in SSLv3 read client certificate A
YUZ7E8b0000# SSL_accept:error in SSLv3 read client certificate A
YUZ7E8b0000# Client cert verify depth=2 /C=DE/O=Deutsches Forschungsnetz/OU=
DFN-CERT GmbH/OU=DFN-PCA/CN=DFN Toplevel Certification Authority/Email=certify@
pca.dfn.de
YUZ7E8b0000# verify error:num=19:self signed certificate in certificate chai
n
YUZ7E8b0000# verify return:0
YUZ7E8b0000# SSL3 alert write:fatal:unknown CA
YUZ7E8b0000# SSL_accept:error in SSLv3 read client certificate B
YUZ7E8b0000# SSL_accept error -1/1
YUZ7E8b0000# 20255:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:n
o certificate returned:s3_srvr.c:1801:
YUZ7E8b0000# SSL session removed
YUZ7E8b0000# TLS stopping; mode was: OFF
Is the param combination appropriate to *ask* for client cert, do not
*enforce* its "veriafiability"? What would be the "right" way to allow
incoming sessions with unverifiable certificates?
Eugene
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi