On Fri, Dec 18, 2009 at 07:56:05PM -0500, Dave Thompson wrote:
> > On postfix 2.5.7 running on Red Hat Enterprise Linux AS release 4
> (Nahant Update 8) I've
> > got the following error message:
> <snip>
> > SSL_accept error from 85-18-95-44.ip.fastwebnet.it[85.18.95.44]: 0
> > SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
> ca:s3_pkt.c:1052:SSL alert number 48:
>
> This is FROM the other system (85-etc) saying they don't like YOUR cert.
Yes, the client wants to verify the trust chain, but is unable to do so.
> <snip>
> > in main.cf there are the following lines concerning TLS
> <snip>
> > smtpd_tls_CAfile = /etc/postfix/secure/UTNAddTrustSGCCA.pem
> > smtpd_tls_CApath = /etc/postfix/secure
>
> Aside: OpenSSL cannot normally use both CAfile and CApath (directory).
> One of these is probably ignored, but the other is likely sufficient.
This is wrong. Both are used, as documented in:
SSL_CTX_load_verify_locations(3)
When looking up CA certificates, the OpenSSL library will first search
the certificates in CAfile, then those in CApath. Certificate matching
is done based on the subject name, the key identifier (if present),
and the serial number as taken from the certificate to be verified. If
these data do not match, the next certificate will be tried. If a
first certificate matching the parameters is found, the verification
process will be performed; no other certificates for the same parame-
ters will be searched in case of failure.
> Their cert is good in your truststore. s_client didn't send your cert to
> them.
>
> Try s_client -key (smtpd__key) -cert (smtpd__cert) (rest as before)
>
> But they don't appear to be requesting it. Make sure they are set to
> at least allow (if not require) client authentication on incoming.
SMTP almost never uses client certs, and these are not relevant in this
context.
To understand why the remote client fails to establish a TLS session
with the OP's server, the OP needs to ask the administrator of the
remote client.
If the OP is operating a "submission" service, the client is an MUA, and
the user needs to add appropriate root CA certificates to the MUA's list
of trusted root CAs.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
