Hi All,
Issue: There is one host to whom I can't send mail from either of my relays
(both OpenBSD 5.3, sendmail). It always fails the TLS handshake. If I
attempt to debug it by hand by running:
openssl s_client -starttls smtp -connect mail.dean.edu:25
...from any of my OpenBSD 5.3 hosts, I get the same response:
CONNECTED(00000003)
12556912661392:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:/usr/src/lib/libssl/ssl/../src/ssl/s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 338 bytes and written 326 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
...but from any of my other hosts (mixed bag of Linuxes):
CONNECTED(00000003)
depth=1 C = US, ST = California, L = Sunnyvale, O = Fortinet, OU =
Certificate Authority, CN = FortiGate CA, emailAddress =
supp...@fortinet.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=Massachusetts/L=Franklin/O=Dean College/CN=webmail.dean.edu
i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=FortiGate CA/emailAddress=supp...@fortinet.com
1 s:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=FortiGate CA/emailAddress=supp...@fortinet.com
i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=FortiGate CA/emailAddress=supp...@fortinet.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDjDCCAnSgAwIBAgISESHvr+edbC0VkIDSTvgg5q0iMA0GCSqGSIb3DQEBBQUA
MIGlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJ
U3Vubnl2YWxlMREwDwYDVQQKEwhGb3J0aW5ldDEeMBwGA1UECxMVQ2VydGlmaWNh
dGUgQXV0aG9yaXR5MRUwEwYDVQQDEwxGb3J0aUdhdGUgQ0ExIzAhBgkqhkiG9w0B
CQEWFHN1cHBvcnRAZm9ydGluZXQuY29tMB4XDTEzMDYxOTE4MzAwMloXDTE0MDgw
MzA0NTk1OFowajELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMx
ETAPBgNVBAcTCEZyYW5rbGluMRUwEwYDVQQKEwxEZWFuIENvbGxlZ2UxGTAXBgNV
BAMMEHdlYm1haWwuZGVhbi5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AMTP/1vE9zK2TUqxnoaZsDaee0f6zxC2jRwXdWDr2Pz6GQJqAbasRPSF7KEdGzyp
tlSkidT4Y+9HbT2WeggrMZ6QVV4MtfsFvWMcHT6VXEqSaTcaHzBraZubxQVsGTGk
IdZHMV6YTM2NOPGAPh8GAqM4oJNrxw/yEYKN1IjptclZAgMBAAGjdDByMHAGA1Ud
EQRpMGeCEHdlYm1haWwuZGVhbi5lZHWCFWF1dG9kaXNjb3Zlci5kZWFuLmVkdYIN
bWFpbC5kZWFuLmVkdYIMb3dhLmRlYW4uZWR1ghJmb3J0aW1haWwuZGVhbi5lZHWC
C2NsaWVudGFycmF5MA0GCSqGSIb3DQEBBQUAA4IBAQB3ctDaDjtMC+k9ULdwpvu6
llkZdLJtjL9jX8qKFFaELA04tEqeSVp39Rmn/Sc4eeBG0pIAtknoH7MMmilodpb0
OVmwk7vcdZvTyE+fcvre8QL7tFQsP2p52YcNad04n3dppgQj1fIR0C9JckLFydRQ
2+Y6SFfMxC85us2I2b+lL8C5XGMjB9imuGRjVcBPdCfh7KVppDys8ODkC7DeouJ9
rXreZMWHZTzGaRQqa5PH71pu5n9vTXP9qx3Dydy50e3REYch3uKwFBFW++UYkzC4
qMudRtn00ZsBlR271OsonpcY4a/Sb3JUbLLKW7/AmgiTJdjxUXL2WJR6FSEd1zTm
-----END CERTIFICATE-----
subject=/C=US/ST=Massachusetts/L=Franklin/O=Dean College/CN=webmail.dean.edu
issuer=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=FortiGate CA/emailAddress=supp...@fortinet.com
---
No client certificate CA names sent
---
SSL handshake has read 2391 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID:
C09FDBD50BB8E16824D92467006595AD44D0F8D69BF8E42D6B1796E0D30D9702
Session-ID-ctx:
Master-Key:
9E637C513FF9612B01B745C6157378B76620676E24E6B2C9CEE728E55AA88936C5D166A16DD17772F0DB5CA2866A569E
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1379014880
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250 HELP
TLS from my OpenBSD relays works fine to any other host. For instance,
picking another at random:
CONNECTED(00000003)
depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/postalCode=97006/ST=OR/L=BEAVERTON/street=SUITE 100/street=20460
NW VON NEUMANN DRIVE/O=McAfee Inc./OU=Engineering/OU=Hosted by McAfee
Inc./OU=PlatinumSSL Wildcard/CN=*.mxlogic.net
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
High-Assurance Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
High-Assurance Secure Server CA
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF0zCCBLugAwIBAgIRAK0HXpo1cqJtwPtUcMZnzM0wDQYJKoZIhvcNAQEFBQAw
gYkxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMS8wLQYD
VQQDEyZDT01PRE8gSGlnaC1Bc3N1cmFuY2UgU2VjdXJlIFNlcnZlciBDQTAeFw0x
MzAzMTMwMDAwMDBaFw0xNDAzMTMyMzU5NTlaMIH6MQswCQYDVQQGEwJVUzEOMAwG
A1UEERMFOTcwMDYxCzAJBgNVBAgTAk9SMRIwEAYDVQQHEwlCRUFWRVJUT04xEjAQ
BgNVBAkTCVNVSVRFIDEwMDEjMCEGA1UECRMaMjA0NjAgTlcgVk9OIE5FVU1BTk4g
RFJJVkUxFDASBgNVBAoTC01jQWZlZSBJbmMuMRQwEgYDVQQLEwtFbmdpbmVlcmlu
ZzEeMBwGA1UECxMVSG9zdGVkIGJ5IE1jQWZlZSBJbmMuMR0wGwYDVQQLExRQbGF0
aW51bVNTTCBXaWxkY2FyZDEWMBQGA1UEAxQNKi5teGxvZ2ljLm5ldDCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKtvQh1N+N0oFYmCeMklSZn2ATDy4+du
L1VKPlWnX/sIoS32GrfUcBS47dARmopzgQBgbMJwCVDJcijZlKZQz/pWP2Asqqdy
4zpfwPAURA7gI/kXydVBHMUUHV9JHa+1uyLHS4pbT4l58y2j77paLL7vTlhlCuAH
7r5gnTziZD3pVqRjxOTTCaAFcraLH6Zo82mypk43CHWT80iBp3+oYMTZDjHkb7BI
xqPdGmFHgfDXRiET26sCPEcUqnk+3PyUM/5ApiyyTW50/pI6nqersg+S07sUR6C7
Vpvr51vYwJQv/gB6T6ot2OEKG1xCkFo153jPm51Ezh0YyilKjfxe16ECAwEAAaOC
AcEwggG9MB8GA1UdIwQYMBaAFD/VtdDWRHlQShejm4xK3LiwImRrMB0GA1UdDgQW
BBQOC+cfq6GG+6JIjVYXQveIG/SzXzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/
BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwUAYDVR0gBEkwRzA7
BgwrBgEEAbIxAQIBAwQwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29t
b2RvLmNvbS9DUFMwCAYGZ4EMAQICME8GA1UdHwRIMEYwRKBCoECGPmh0dHA6Ly9j
cmwuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNzdXJhbmNlU2VjdXJlU2VydmVy
Q0EuY3JsMIGABggrBgEFBQcBAQR0MHIwSgYIKwYBBQUHMAKGPmh0dHA6Ly9jcnQu
Y29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNzdXJhbmNlU2VjdXJlU2VydmVyQ0Eu
Y3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wGAYDVR0R
BBEwD4INKi5teGxvZ2ljLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAhkJCWVNkdCD8
wH9hgJvOpjUWNTuDqKG+2Yh5Uz9KjOQeFdEZX/Alo/n30bgTbv5g5gzlK2BGUCKV
L7B8JFq3vFHvIePo3hr1xcXpR3aKLF+3eDmGFDztBKyqU8DQYBmbNxZzWFvYA9ke
ifX5mdWXFV2f6NJw2aGhu4ordoitLH+RtA2k75Q7TrHfIo56KjFuP20sWaRUGZ5Z
uyF3yB/VIzptJJEop7oKDeKqUDmhNrXT4v/S9GODMPu8MXbrjHvVsGgnL63Um5Yz
G2WJizEbmD0MOPUVbURa7pDX5KDGdXKkluskgPadTHDO32FnQN1wYxThsDEKJ2j9
BzeA92BWfQ==
-----END CERTIFICATE-----
subject=/C=US/postalCode=97006/ST=OR/L=BEAVERTON/street=SUITE
100/street=20460 NW VON NEUMANN DRIVE/O=McAfee
Inc./OU=Engineering/OU=Hosted by McAfee Inc./OU=PlatinumSSL Wildcard/CN=*.
mxlogic.net
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
High-Assurance Secure Server CA
---
Acceptable client certificate CA names
/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
---
SSL handshake has read 4412 bytes and written 664 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
8AB594067EB15A6DF6A5D74E84E57AB8310B57A1F411E3AF9EB0084790CA6C13
Session-ID-ctx:
Master-Key:
3DC8AA2C04E6106648E4950ECF850CF58687C8F3690A43DD0D8BCE57FC09C0059B9E857CA25905753232E23F277CA564
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1379014966
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250 PIPELINING
I'm perplexed. Does anyone have any ideas?
Thanks,
-John
