Hello there, Investigating a strange thing with postfix:
Mar 16 10:37:40 host postfix/smtpd[27618]: warning: TLS library problem: 27618:error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table:x509_lu.c:348: I tried the following: openssl s_server -verify 5 -CApath /etc/ssl/certs -cert /etc/ssl/test.pem -key /etc/ssl/test.pem -accept 2525 echo | openssl s_client -verify 5 -verify 5 -CApath /etc/ssl/certs -cert /etc/ssl/test.pem -key /etc/ssl/test.pem -connect 127.0.0.1:2525 Gave me the following (domainname masked, replaced by test.net) host ~ # echo | openssl s_client -verify 5 -verify 5 -CApath /etc/ssl/certs -cert /etc/ssl/test.pem -key /etc/ssl/test.pem -connect 127.0.0.1:2525 verify depth is 5 verify depth is 5 CONNECTED(00000003) depth=2 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailaddress=supp...@cacert.org verify return:1 depth=1 /O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root verify return:1 depth=0 /C=Fr/L=Paris/O=Cusae/CN=*.test.net/emailAddress=noc@ verify return:1 --- Certificate chain 0 s:/C=Fr/L=Paris/O=Cusae/CN=*.test.net/emailAddress=noc@ i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root 1 s:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailaddress=supp...@cacert.org 2 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailaddress=supp...@cacert.org i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailaddress=supp...@cacert.org --- Server certificate -----BEGIN CERTIFICATE----- [snip] -----END CERTIFICATE----- subject=/C=Fr/L=Paris/O=Cusae/CN=*.test.net/emailAddress=noc@ issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root --- No client certificate CA names sent --- SSL handshake has read 4945 bytes and written 4927 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: C7F6430ADEDD6F8D41880E321247E04728C79031F0560E9A12121CC8675B5459 Session-ID-ctx: Master-Key: 23817E136B19141A74CC785C697EBECDC39D643991500F56939FDA8A599BDEC9D568D5DD946193AB96A1675064A7CB54 Key-Arg : None Start Time: 1237198146 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE And on the server: host ~ # openssl s_server -verify 5 -CApath /etc/ssl/certs -cert /etc/ssl/test.pem -key /etc/ssl/test.pem -accept 2525 verify depth is 5 Using default temp DH parameters Using default temp ECDH parameters ACCEPT depth=2 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailaddress=supp...@cacert.org verify return:1 depth=1 /O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root verify return:1 depth=0 /C=Fr/L=Paris/O=Cusae/CN=*.test.net/emailAddress=noc@ verify return:1 -----BEGIN SSL SESSION PARAMETERS----- [snip] -----END SSL SESSION PARAMETERS----- Client certificate -----BEGIN CERTIFICATE----- [snip] -----END CERTIFICATE----- subject=/C=Fr/L=Paris/O=Cusae/CN=*.test.net/emailAddress=noc@ issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 CIPHER is DHE-RSA-AES256-SHA ERROR 28991:error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table:x509_lu.c:348: shutting down SSL CONNECTION CLOSED ACCEPT Host is an uptodate Gentoo 2008, on amd64. It may be a duplicate certificate, but I'm unable to find it -- and adding debug informations doesn't give more on the ERROR line. Any idea on how to find what's wrong ? Arnaud. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
