1. make sure your server includes the intermediary VeriSign CA
(issued by the root CA, issuer of your cert) in its response for the
common case where the client only has a copy of the trusted root
CA and not the (frequently changing) intermediary CA. This cert
should appear at depth=1 in the s_client output if done right.
I don't know how sendmail loads its TLS server cert, but for most
programs, you simply concatenate the PEM text files of your
own server cert and each intermediary up to and including the
root CA cert, in order. Either
# cat x.com.pem relevantintermediaryCA.pem relevantverisignrootCA.pem >
/etc/somedir/servercert.pem
Or
# cat relevantverisignrootCA.pem relevantintermediaryCA.pem x.com.pem >
/etc/somedir/servercert.pem
(with appropriate substitutions) should make your sendmail send the
whole chain as expected by most clients,
2. Make sure the location where openssl looks for trusted server cert
issuers (not client cert issuers) (is it /etc/mailcerts/cacert.pem or
/etc/mailcerts/CA, I am never sure!) contains the certificate that
VeriSign used to sign the intermediary CA that signed your
"x.com" (not the real name I presume) certificate. This would be
the "relevantverisignrootCA.pem" in point 1 above.
3. TLS can continue with an untrusted certificate, but in real clients
(mail programs etc.) the same error will be fatal or at least a very
dire warning.
On 9/20/2011 9:26 AM, maztermind wrote:
I have config TLS on my sendmail server but when i try to verify it i get
this errors:
#openssl verify -CApath /etc/mailcerts/CA -CAfile cacert.pem
openssl s_client -CAfile /etc/mailcerts/cacert.pem -CApath /etc/mailcerts/CA
-connect localhost:25 -starttls smtp
CONNECTED(00000003)
depth=0 C = SE, ST = X, L = X, O = X, OU = IT, OU = Terms of use at
www.verisign.se/rpa (c)05, OU = Authenticated by VeriSign, OU = "Member,
VeriSign Trust Network", CN = x.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = SE, ST = X, L = X, O = X, OU = IT, OU = Terms of use at
www.verisign.se/rpa (c)05, OU = Authenticated by VeriSign, OU = "Member,
VeriSign Trust Network", CN = x.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = SE, ST = X, L = X, O = X, OU = IT, OU = Terms of use at
www.verisign.se/rpa (c)05, OU = Authenticated by VeriSign, OU = "Member,
VeriSign Trust Network", CN = x.com
verify error:num=21:unable to verify the first certificate
verify return:1
But the TLS seems to work:
Acceptable client certificate CA names
/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server
CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
VeriSign
---
SSL handshake has read 2798 bytes and written 454 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
2983543DDDA550EC4065B58F2D8D33099XXSSS1EBB9483A834E49EA710D032698D37D
Session-ID-ctx:
Master-Key:
155A6E224E39005ABF1391E5BE19DBF4DDC96C010D4XX03792D0F50CDCC1DC80986A4BE5E2DA5A474DA266EC51CF6D8649
Key-Arg : None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 78 21 c2 17 a5 85 b7 fc-4e 70 4e e6 ca de bc 7d
x!.7....NpN....}
0010 - 8f 4d 2b 57 bd 81 eb 91-0a ac 42 de 44 8c 74 e6
.M+W......B.D.t.
0020 - c3 75 d3 84 4d f7 75 b6-01 21 28 c6 1a 99 c8 b4
.u..M.u..!(.....
0030 - 07 05 b1 3d 80 c5 93 18-9c d8 03 b6 44 61 f8 3b
...=........Da.;
0040 - df 36 2c 74 e3 ff ea 1a-26 65 61 ce 63 39 ad 01
.6,t....&ea.c9..
0050 - 4c 78 9d 85 10 e0 9c b3-4f dd 30 3f 6f cd 43 08
Lx......O.0?o.C.
0060 - f5 f7 04 77 b3 36 f0 87-5e f7 78 a8 62 8d 0d 9e
...w.6..^.x.b...
0070 - 6f 4e 51 be e8 5f bd 1e-37 76 8d 06 29 a4 7f 4c
oNQ.._..7v..)..L
0080 - 23 51 8b f9 f3 57 67 95-75 78 d6 07 b0 20 42 a9 #Q...Wg.ux...
B.
0090 - 6b 0b 1a 0e b8 d6 55 a4-5c f0 99 78 0b 81 e4 a8
k.....U.\..x....
00a0 - e7 4c 0c 5f f3 fc 21 c5-e4 cd de d5 89 d8 79 3d
.L._..!.......y=
Compression: 1 (zlib compression)
Start Time: 1316502867
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
250 HELP
So how do i get rid of this problem? or do i give wrong parameters?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
