Friday, 20200410 10:48-0600, Bob Beck wrote:
>
> What makes you believe your certificate failure is due to the wildcard DNSname
> and not due to some other reason (like the certificate not being trusted, or
> failing a critical extension, etc.)
>
> A quick scan of the wildcard matching code in smtpd looks correct to me, but
> it won't get in there if the certificate doesn't validate in the first place.
>
> I can't connect to that host from where I am, obviously it does some
> sort of port 25 filtering or I would look at the certificate myself.
> instead of grepping strings it might be helpful to show the entire
> certificate.
That's an excellent question and may explain why I didn't see any obvious
difference between smtpd's ssl_verify.c and libtls's tls_verify.c - I
apologise for jumping to the wrong conclusion. The certificate appears to
validate when I use openssl(1) directly, but I may have misinterpreted the
output, attached below.
===
$ echo Q | openssl s_client -starttls smtp -connect mx.hostedemail.com:25
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global
Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA
2018
verify return:1
depth=0 C = CA, ST = Ontario, L = Toronto, O = Tucows Inc, OU = Operations, CN
= *.hostedemail.com
verify return:1
write W BLOCK
---
Certificate chain
0 s:/C=CA/ST=Ontario/L=Toronto/O=Tucows Inc/OU=Operations/CN=*.hostedemail.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGGzCCBQOgAwIBAgIQDNt7838YR0QboWFZ9/AxrjANBgkqhkiG9w0BAQsFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRHZW9UcnVzdCBSU0EgQ0EgMjAxODAe
Fw0yMDAzMjUwMDAwMDBaFw0yMTA1MjQxMjAwMDBaMHcxCzAJBgNVBAYTAkNBMRAw
DgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3JvbnRvMRMwEQYDVQQKEwpUdWNv
d3MgSW5jMRMwEQYDVQQLEwpPcGVyYXRpb25zMRowGAYDVQQDDBEqLmhvc3RlZGVt
YWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOGME3lAVmwL
93AFhpT3Isvf+t2i83jK66KQ5qyiM53JxeRyPkADIMbgjtBs/OzBvSBjrCF20Yps
ntxY51NR3PWPFo2qAfDmb1AsPdfxd2e3H3/c++H79baibTCDhIo4U9ZSDY3Ina3I
igAb+NZp3qdEXu+KMnoq43gc8FwovYm393bhAGNaZTdUPT+gYiirn6acq3kFyaG/
2c1eXPF9WnEcjzlwYqTC+JDYrd8aFTvJSRC2XmohuHA+mOFtcwomRgvEilqLfp0i
C/DPrCpmDF2s/XbonZWQf4FdE+oZV8/uUseOq/hRBlxhbiYmw0bJZvNAOikm2g2i
7zyWIu/SSx0CAwEAAaOCArowggK2MB8GA1UdIwQYMBaAFJBY/7CcdahRVHex7fKj
QxY4nmzFMB0GA1UdDgQWBBS862dlbkSagt2fONXW4de1L0eiQjAtBgNVHREEJjAk
ghEqLmhvc3RlZGVtYWlsLmNvbYIPaG9zdGVkZW1haWwuY29tMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwPgYDVR0fBDcwNTAz
oDGgL4YtaHR0cDovL2NkcC5nZW90cnVzdC5jb20vR2VvVHJ1c3RSU0FDQTIwMTgu
Y3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBz
Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMHUGCCsGAQUFBwEBBGkw
ZzAmBggrBgEFBQcwAYYaaHR0cDovL3N0YXR1cy5nZW90cnVzdC5jb20wPQYIKwYB
BQUHMAKGMWh0dHA6Ly9jYWNlcnRzLmdlb3RydXN0LmNvbS9HZW9UcnVzdFJTQUNB
MjAxOC5jcnQwCQYDVR0TBAIwADCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AKS5
CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABcRLV/uIAAAQDAEgwRgIh
AIZUVvvToQQ6CSZPAjtyMWKc87UoaSbbjM/f7m5piZ9qAiEAxBaCDKhvFdL4LxpX
pSp9B3GazYmuEqsZHVXTciqCuhEAdQBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOU
sl7m9scOygAAAXES1f8gAAAEAwBGMEQCICmAo/yhWsebRU+JF6VgNxpeMVjOT312
OFY/QrwuMkIuAiAhzzWiAXbX9xe6vNcIrr2uSWd/fRNugce1JB5ao2sQGjANBgkq
hkiG9w0BAQsFAAOCAQEAfSeMIjGQuLPU4rFKWt4UTi5wau/ZVEKHZbAH6G72CvqL
fXlcBnknQKFgY0AmJYDfsDh2UrVHWNP6R98wFCCY7CgTFZebZeOxr3iKrhYzv1s6
b4UFCamXcrLS8tmLwHDm/0uKG7x8ouIoF53XUI5vVrwojHEzmunI6lWHurirhNd/
jbR0yojnQhxEdr4kZp/6xF6ekF3PLvT1pP5bfE6XtIVFsZHIm/TmB/vL4ej5UZ4w
68D8jT2z0yfIAla6/Lv7p99Tlz0m8bDzp9sVhf0iFRb4lHJvMenkZm1Y/hp4u9uB
T2WqpSaUdjXnEVn2aWyi0sxFL0KCfOTzSUssO7nJiA==
-----END CERTIFICATE-----
subject=/C=CA/ST=Ontario/L=Toronto/O=Tucows
Inc/OU=Operations/CN=*.hostedemail.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3443 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: FB1EE4005E33E8340286904FE71AB15C3EE8EBA2CE297B6F37E52DA6F7EA41AC
Session-ID-ctx:
Master-Key:
F44E9751FC08A61590BCFD5400C14237B48D8E461C1D80BD945540B2CA52821264E244A53CC0F2D381FF4E2570F2FCE6
Start Time: 1586537747
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
250 CHUNKING
DONE
$
$ echo Q | openssl s_client -starttls smtp -connect mx.hostedemail.com:25 2>&1
| openssl x509 -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0c:db:7b:f3:7f:18:47:44:1b:a1:61:59:f7:f0:31:ae
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA
2018
Validity
Not Before: Mar 25 00:00:00 2020 GMT
Not After : May 24 12:00:00 2021 GMT
Subject: C=CA, ST=Ontario, L=Toronto, O=Tucows Inc, OU=Operations,
CN=*.hostedemail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e1:8c:13:79:40:56:6c:0b:f7:70:05:86:94:f7:
22:cb:df:fa:dd:a2:f3:78:ca:eb:a2:90:e6:ac:a2:
33:9d:c9:c5:e4:72:3e:40:03:20:c6:e0:8e:d0:6c:
fc:ec:c1:bd:20:63:ac:21:76:d1:8a:6c:9e:dc:58:
e7:53:51:dc:f5:8f:16:8d:aa:01:f0:e6:6f:50:2c:
3d:d7:f1:77:67:b7:1f:7f:dc:fb:e1:fb:f5:b6:a2:
6d:30:83:84:8a:38:53:d6:52:0d:8d:c8:9d:ad:c8:
8a:00:1b:f8:d6:69:de:a7:44:5e:ef:8a:32:7a:2a:
e3:78:1c:f0:5c:28:bd:89:b7:f7:76:e1:00:63:5a:
65:37:54:3d:3f:a0:62:28:ab:9f:a6:9c:ab:79:05:
c9:a1:bf:d9:cd:5e:5c:f1:7d:5a:71:1c:8f:39:70:
62:a4:c2:f8:90:d8:ad:df:1a:15:3b:c9:49:10:b6:
5e:6a:21:b8:70:3e:98:e1:6d:73:0a:26:46:0b:c4:
8a:5a:8b:7e:9d:22:0b:f0:cf:ac:2a:66:0c:5d:ac:
fd:76:e8:9d:95:90:7f:81:5d:13:ea:19:57:cf:ee:
52:c7:8e:ab:f8:51:06:5c:61:6e:26:26:c3:46:c9:
66:f3:40:3a:29:26:da:0d:a2:ef:3c:96:22:ef:d2:
4b:1d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:58:FF:B0:9C:75:A8:51:54:77:B1:ED:F2:A3:43:16:38:9E:6C:C5
X509v3 Subject Key Identifier:
BC:EB:67:65:6E:44:9A:82:DD:9F:38:D5:D6:E1:D7:B5:2F:47:A2:42
X509v3 Subject Alternative Name:
DNS:*.hostedemail.com, DNS:hostedemail.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://cdp.geotrust.com/GeoTrustRSACA2018.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.1.1
CPS: https://www.digicert.com/CPS
Policy: 2.23.140.1.2.2
Authority Information Access:
OCSP - URI:http://status.geotrust.com
CA Issuers -
URI:http://cacerts.geotrust.com/GeoTrustRSACA2018.crt
X509v3 Basic Constraints:
CA:FALSE
1.3.6.1.4.1.11129.2.4.2:
......w.......X......gp
.....q.........H0F.!..TV....:.&O.;r1b...(i&.....ni..j.!......o.../.W.*}.q........U.r*....u.\.C....ED.^..V..7...G..s..^........q...
.....F0D. )....Z..EO...`7.^1X.O}v8V?B..2B.. !.5..v..........Ig.}.n...$.Z.k..
Signature Algorithm: sha256WithRSAEncryption
7d:27:8c:22:31:90:b8:b3:d4:e2:b1:4a:5a:de:14:4e:2e:70:
6a:ef:d9:54:42:87:65:b0:07:e8:6e:f6:0a:fa:8b:7d:79:5c:
06:79:27:40:a1:60:63:40:26:25:80:df:b0:38:76:52:b5:47:
58:d3:fa:47:df:30:14:20:98:ec:28:13:15:97:9b:65:e3:b1:
af:78:8a:ae:16:33:bf:5b:3a:6f:85:05:09:a9:97:72:b2:d2:
f2:d9:8b:c0:70:e6:ff:4b:8a:1b:bc:7c:a2:e2:28:17:9d:d7:
50:8e:6f:56:bc:28:8c:71:33:9a:e9:c8:ea:55:87:ba:b8:ab:
84:d7:7f:8d:b4:74:ca:88:e7:42:1c:44:76:be:24:66:9f:fa:
c4:5e:9e:90:5d:cf:2e:f4:f5:a4:fe:5b:7c:4e:97:b4:85:45:
b1:91:c8:9b:f4:e6:07:fb:cb:e1:e8:f9:51:9e:30:eb:c0:fc:
8d:3d:b3:d3:27:c8:02:56:ba:fc:bb:fb:a7:df:53:97:3d:26:
f1:b0:f3:a7:db:15:85:fd:22:15:16:f8:94:72:6f:31:e9:e4:
66:6d:58:fe:1a:78:bb:db:81:4f:65:aa:a5:26:94:76:35:e7:
11:59:f6:69:6c:a2:d2:cc:45:2f:42:82:7c:e4:f3:49:4b:2c:
3b:b9:c9:88
-----BEGIN CERTIFICATE-----
MIIGGzCCBQOgAwIBAgIQDNt7838YR0QboWFZ9/AxrjANBgkqhkiG9w0BAQsFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRHZW9UcnVzdCBSU0EgQ0EgMjAxODAe
Fw0yMDAzMjUwMDAwMDBaFw0yMTA1MjQxMjAwMDBaMHcxCzAJBgNVBAYTAkNBMRAw
DgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3JvbnRvMRMwEQYDVQQKEwpUdWNv
d3MgSW5jMRMwEQYDVQQLEwpPcGVyYXRpb25zMRowGAYDVQQDDBEqLmhvc3RlZGVt
YWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOGME3lAVmwL
93AFhpT3Isvf+t2i83jK66KQ5qyiM53JxeRyPkADIMbgjtBs/OzBvSBjrCF20Yps
ntxY51NR3PWPFo2qAfDmb1AsPdfxd2e3H3/c++H79baibTCDhIo4U9ZSDY3Ina3I
igAb+NZp3qdEXu+KMnoq43gc8FwovYm393bhAGNaZTdUPT+gYiirn6acq3kFyaG/
2c1eXPF9WnEcjzlwYqTC+JDYrd8aFTvJSRC2XmohuHA+mOFtcwomRgvEilqLfp0i
C/DPrCpmDF2s/XbonZWQf4FdE+oZV8/uUseOq/hRBlxhbiYmw0bJZvNAOikm2g2i
7zyWIu/SSx0CAwEAAaOCArowggK2MB8GA1UdIwQYMBaAFJBY/7CcdahRVHex7fKj
QxY4nmzFMB0GA1UdDgQWBBS862dlbkSagt2fONXW4de1L0eiQjAtBgNVHREEJjAk
ghEqLmhvc3RlZGVtYWlsLmNvbYIPaG9zdGVkZW1haWwuY29tMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwPgYDVR0fBDcwNTAz
oDGgL4YtaHR0cDovL2NkcC5nZW90cnVzdC5jb20vR2VvVHJ1c3RSU0FDQTIwMTgu
Y3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBz
Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMHUGCCsGAQUFBwEBBGkw
ZzAmBggrBgEFBQcwAYYaaHR0cDovL3N0YXR1cy5nZW90cnVzdC5jb20wPQYIKwYB
BQUHMAKGMWh0dHA6Ly9jYWNlcnRzLmdlb3RydXN0LmNvbS9HZW9UcnVzdFJTQUNB
MjAxOC5jcnQwCQYDVR0TBAIwADCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AKS5
CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABcRLV/uIAAAQDAEgwRgIh
AIZUVvvToQQ6CSZPAjtyMWKc87UoaSbbjM/f7m5piZ9qAiEAxBaCDKhvFdL4LxpX
pSp9B3GazYmuEqsZHVXTciqCuhEAdQBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOU
sl7m9scOygAAAXES1f8gAAAEAwBGMEQCICmAo/yhWsebRU+JF6VgNxpeMVjOT312
OFY/QrwuMkIuAiAhzzWiAXbX9xe6vNcIrr2uSWd/fRNugce1JB5ao2sQGjANBgkq
hkiG9w0BAQsFAAOCAQEAfSeMIjGQuLPU4rFKWt4UTi5wau/ZVEKHZbAH6G72CvqL
fXlcBnknQKFgY0AmJYDfsDh2UrVHWNP6R98wFCCY7CgTFZebZeOxr3iKrhYzv1s6
b4UFCamXcrLS8tmLwHDm/0uKG7x8ouIoF53XUI5vVrwojHEzmunI6lWHurirhNd/
jbR0yojnQhxEdr4kZp/6xF6ekF3PLvT1pP5bfE6XtIVFsZHIm/TmB/vL4ej5UZ4w
68D8jT2z0yfIAla6/Lv7p99Tlz0m8bDzp9sVhf0iFRb4lHJvMenkZm1Y/hp4u9uB
T2WqpSaUdjXnEVn2aWyi0sxFL0KCfOTzSUssO7nJiA==
-----END CERTIFICATE-----
