[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: incoming TLS sessions failures
On Wed, Mar 26, 2003 at 11:15:52AM +0300, Eugene Crosser wrote:
> I am experiencing problems with incming TLS sessions, apparently only
> with sessions that originate from universities in Germany.
Hmm...
Reading the code, the most illogical answer is:
PARAM tls-ccert-vd 99
I do suspect that the code has test of (verify_depth >= depth) the
wrong way around. It should, possibly, be: (depth >= verify_depth)
As that is nearly verbatim copy from Postfix code, there too could
be this same problem -- or it has been fixed in there, but not in
ZMailer..
/Matti Aarnio
> This is excerpt from smtpserver.conf:
>
> PARAM use-tls
> ##PARAM listen-ssmtp # A deprecated TCP/465 port listener for SSL/SMTP
> ##PARAM outlook-tls-bug # Variant of ssmtp
> #
> PARAM tls-CAfile $MAILVAR/db/smtpserver-CAcert.pem
> PARAM tls-cert-file $MAILVAR/db/smtpserver-cert.pem
> PARAM tls-key-file $MAILVAR/db/smtpserver-key.pem
> # # If system default SSL-session-cache is to be used ?
> #PARAM tls-use-scache
> #PARAM tls-scache-timeout 3600 # (cache timeout in seconds)
> # # Then some futher thoughs that may materialize some time..
> PARAM tls-loglevel 1
> PARAM tls-ccert-vd 1
> PARAM tls-ask-cert 1
> #PARAM tls-require-cert 0
> ##PARAM tls-CApath ... (somewhen: ways to verify client's certificates)
> ##PARAM tls-enforce-tls 1
>
> My server ceritificate is signed with local ("unofficial") authority.
>
> And this is a typical session:
...
> YUZ7E8b0000r STARTTLS
> YUZ7E8b0000w 220 Ready to start TLS
> YUZ7E8b0000# SSL_accept:error in SSLv2/v3 read client hello A
> YUZ7E8b0000# SSL_accept:error in SSLv3 read client certificate A
> YUZ7E8b0000# SSL_accept:error in SSLv3 read client certificate A
> YUZ7E8b0000# SSL_accept:error in SSLv3 read client certificate A
> YUZ7E8b0000# SSL_accept:error in SSLv3 read client certificate A
> YUZ7E8b0000# SSL_accept:error in SSLv3 read client certificate A
> YUZ7E8b0000# Client cert verify depth=2 /C=DE/O=Deutsches Forschungsnetz/OU=DFN-CERT GmbH/OU=DFN-PCA/CN=DFN Toplevel Certification Authority/Email=certify@pca.dfn.de
> YUZ7E8b0000# verify error:num=19:self signed certificate in certificate chain
> YUZ7E8b0000# verify return:0
> YUZ7E8b0000# SSL3 alert write:fatal:unknown CA
> YUZ7E8b0000# SSL_accept:error in SSLv3 read client certificate B
> YUZ7E8b0000# SSL_accept error -1/1
> YUZ7E8b0000# 20255:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:1801:
> YUZ7E8b0000# SSL session removed
> YUZ7E8b0000# TLS stopping; mode was: OFF
>
> Is the param combination appropriate to *ask* for client cert, do not
> *enforce* its "veriafiability"? What would be the "right" way to allow
> incoming sessions with unverifiable certificates?
>
> Eugene
--
/Matti Aarnio <mea@nic.funet.fi>
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi