[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: incoming TLS sessions failures



On Wed, Mar 26, 2003 at 11:15:52AM +0300, Eugene Crosser wrote:
> I am experiencing problems with incming TLS sessions, apparently only
> with sessions that originate from universities in Germany.

Hmm...

Reading the code, the most illogical answer is:

    PARAM tls-ccert-vd      99

I do suspect that the code has test of   (verify_depth >= depth)  the
wrong way around.  It should, possibly, be:  (depth >= verify_depth)

As that is nearly verbatim copy from Postfix code, there too could
be this same problem -- or it has been fixed in there, but not in
ZMailer..

  /Matti Aarnio


> This is excerpt from smtpserver.conf:
> 
> PARAM  use-tls
> ##PARAM listen-ssmtp    # A deprecated TCP/465 port listener for SSL/SMTP
> ##PARAM outlook-tls-bug # Variant of ssmtp
> #
> PARAM  tls-CAfile      $MAILVAR/db/smtpserver-CAcert.pem
> PARAM  tls-cert-file   $MAILVAR/db/smtpserver-cert.pem
> PARAM  tls-key-file    $MAILVAR/db/smtpserver-key.pem
> #  # If system default SSL-session-cache is to be used ?
> #PARAM  tls-use-scache
> #PARAM  tls-scache-timeout 3600 # (cache timeout in seconds)
> #  # Then some futher thoughs that may materialize some time..
> PARAM tls-loglevel      1
> PARAM tls-ccert-vd      1
> PARAM tls-ask-cert      1
> #PARAM tls-require-cert 0
> ##PARAM tls-CApath ... (somewhen: ways to verify client's certificates)
> ##PARAM tls-enforce-tls 1
> 
> My server ceritificate is signed with local ("unofficial") authority.
> 
> And this is a typical session:
...
> YUZ7E8b0000r    STARTTLS
> YUZ7E8b0000w    220 Ready to start TLS
> YUZ7E8b0000#    SSL_accept:error in SSLv2/v3 read client hello A
> YUZ7E8b0000#    SSL_accept:error in SSLv3 read client certificate A
> YUZ7E8b0000#    SSL_accept:error in SSLv3 read client certificate A
> YUZ7E8b0000#    SSL_accept:error in SSLv3 read client certificate A
> YUZ7E8b0000#    SSL_accept:error in SSLv3 read client certificate A
> YUZ7E8b0000#    SSL_accept:error in SSLv3 read client certificate A
> YUZ7E8b0000#    Client cert verify depth=2 /C=DE/O=Deutsches Forschungsnetz/OU=DFN-CERT GmbH/OU=DFN-PCA/CN=DFN Toplevel Certification Authority/Email=certify@pca.dfn.de
> YUZ7E8b0000#    verify error:num=19:self signed certificate in certificate chain
> YUZ7E8b0000#    verify return:0
> YUZ7E8b0000#    SSL3 alert write:fatal:unknown CA
> YUZ7E8b0000#    SSL_accept:error in SSLv3 read client certificate B
> YUZ7E8b0000#    SSL_accept error -1/1
> YUZ7E8b0000#    20255:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:1801:
> YUZ7E8b0000#    SSL session removed
> YUZ7E8b0000#    TLS stopping; mode was: OFF
> 
> Is the param combination appropriate to *ask* for client cert, do not
> *enforce* its "veriafiability"?  What would be the "right" way to allow
> incoming sessions with unverifiable certificates?
> 
> Eugene

-- 
/Matti Aarnio	<mea@nic.funet.fi>
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi