Re: Verisign Problem with smtp tls

andrew cooke Fri, 27 Dec 2013 12:01:52 -0800
On Fri, Dec 27, 2013 at 04:53:41PM -0300, Andrew Cooke wrote:
> 
> i am not following this in any detail, but if you look at the certificate you
> included in your original email it expired in 2008.  just look at it with 
> 
>    openssl -text -in <some file>
     openssl x509 -text -in <some file>
 
> sorry if i'm jumping into something i've misunderstood,
> andrew
> 
> 
> On Fri, Dec 27, 2013 at 01:47:47PM -0600, Bobber wrote:
> > 
> > On 12/27/2013 01:29 PM, Viktor Dukhovni wrote:
> > >On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote:
> > >
> > >>I recently upgraded my companies' mail server to 64 Debian Wheezy. I
> > >>am using the Openssl package which is version 1.0.1e-2.
> > >>
> > >>I am having problems when trying to send a message to one of our
> > >>business partners.  The SMTP session appears to shut down and it
> > >>appears that my server is rejecting their certificate.
> > >>
> > >>Here is the openssl command I am giving to diagnose the problem and
> > >>it's output.  Can anyone suggest a solution?  It appears to me that
> > >>I may be lacking an intermediary certificate.  How do I fix this if
> > >>this is the case?
> > >>
> > >>>openssl s_client -CApath  /etc/ssl/certs/ -crlf -starttls smtp
> > >>>-connect mail.thelawrencegroup.com:25
> > >The posttls-finger(1) utility, included with Postfix 2.11 snapshot
> > >source code, does a much better job of mail server TLS diagnostics.
> > >Their certificate is expired.  Your MTA really ought to log the
> > >error reason.  Consider a better MTA! :-)
> > I don't see anywhere that it says expired other than this utility.
> > How can I verify that it is really expired?  These guys do business
> > with lots of other people but have not noticed anything except with
> > us.  The openssl error code 20 indicates an improper intermediate CA
> > from what I can find. Also using this site indicates no problem:
> > http://www.checktls.com/testreceiver.html
> > 
> > Is there another way to verify the expiration?
> > >
> > >     $ posttls-finger "[mail.thelawrencegroup.com]"
> > >     posttls-finger: Connected to 
> > > mail.thelawrencegroup.com[206.16.127.29]:25
> > >     posttls-finger: < 220 mail.thelawrencegroup.com Microsoft ESMTP MAIL 
> > > Service, Version: 6.0.3790.4675 ready at  Fri, 27 Dec 2013 13:13:52 -0600
> > >     posttls-finger: > EHLO amnesiac.example
> > >     posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1]
> > >     posttls-finger: < 250-TURN
> > >     posttls-finger: < 250-SIZE
> > >     posttls-finger: < 250-ETRN
> > >     posttls-finger: < 250-PIPELINING
> > >     posttls-finger: < 250-DSN
> > >     posttls-finger: < 250-ENHANCEDSTATUSCODES
> > >     posttls-finger: < 250-8bitmime
> > >     posttls-finger: < 250-BINARYMIME
> > >     posttls-finger: < 250-CHUNKING
> > >     posttls-finger: < 250-VRFY
> > >     posttls-finger: < 250-TLS
> > >     posttls-finger: < 250-STARTTLS
> > >     posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN
> > >     posttls-finger: < 250-X-EXPS=LOGIN
> > >     posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN
> > >     posttls-finger: < 250-AUTH=LOGIN
> > >     posttls-finger: < 250-X-LINK2STATE
> > >     posttls-finger: < 250-XEXCH50
> > >     posttls-finger: < 250 OK
> > >     posttls-finger: > STARTTLS
> > >     posttls-finger: < 220 2.0.0 SMTP server ready
> > >     posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25 Matched 
> > > CommonName mail.thelawrencegroup.com
> > >     posttls-finger: server certificate verification failed for 
> > > mail.thelawrencegroup.com[206.16.127.29]:25: certificate has expired
> > >     posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25: 
> > > subject_CN=mail.thelawrencegroup.com, issuer_CN=VeriSign Class 3 Secure 
> > > Server CA, 
> > > fingerprint=58:83:F8:69:1B:45:53:BA:21:36:19:01:B4:C9:7A:A9:54:62:79:57, 
> > > pkey_fingerprint=84:43:0D:55:D9:F8:D3:C5:59:D3:9D:33:42:B3:2E:A4:9B:FE:96:4D
> > >     posttls-finger: Untrusted TLS connection established to 
> > > mail.thelawrencegroup.com[206.16.127.29]:25: unknown with cipher RC4-MD5 
> > > (128/128 bits)
> > >     posttls-finger: > EHLO amnesiac.example
> > >     posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1]
> > >     posttls-finger: < 250-TURN
> > >     posttls-finger: < 250-SIZE
> > >     posttls-finger: < 250-ETRN
> > >     posttls-finger: < 250-PIPELINING
> > >     posttls-finger: < 250-DSN
> > >     posttls-finger: < 250-ENHANCEDSTATUSCODES
> > >     posttls-finger: < 250-8bitmime
> > >     posttls-finger: < 250-BINARYMIME
> > >     posttls-finger: < 250-CHUNKING
> > >     posttls-finger: < 250-VRFY
> > >     posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN
> > >     posttls-finger: < 250-X-EXPS=LOGIN
> > >     posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN
> > >     posttls-finger: < 250-AUTH=LOGIN
> > >     posttls-finger: < 250-X-LINK2STATE
> > >     posttls-finger: < 250-XEXCH50
> > >     posttls-finger: < 250 OK
> > >     posttls-finger: > QUIT
> > >     posttls-finger: < 221 2.0.0 mail.thelawrencegroup.com Service closing 
> > > transmission channel
> > >
> > 
> > -- 
> > 
> > Bob Wooldridge
> > bob...@kc0dxf.net
> > Blog: http://kc0dxf.net/blog/
> > 
> > ______________________________________________________________________
> > OpenSSL Project                                 http://www.openssl.org
> > User Support Mailing List                    openssl-users@openssl.org
> > Automated List Manager                           majord...@openssl.org
> > 
> 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
Re: Verisign Problem with smtp tls

Reply via email to
