On 8/24/2010 3:55 PM, Dieter Kluenter wrote:
Clayton Keller<inetad...@ruraltel.net> writes:
First off, my apologies if this strays a bit off-list.
I'm trying to setup a test environment using TLS and a self-signed
certificate using Subject Alternative Name. From my research this
should allow me to use multiple hostnames with a single certificate.
I have no issues using TLS and a single domain with a self-signed
cert. However, when creating the certificate using the multiple
hostnames, my I see the following type of issue:
1. The email client generates an error indicating the certificate is
invalid and requires an exception be added.
2. The following shows up in my logging:
---
Aug 24 14:41:54 mta-test postfix/smtpd[27174]: SSL3 alert
read:fatal:bad certificate
Aug 24 14:41:54 mta-test postfix/smtpd[27174]: warning: TLS library
problem: 27174:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert
bad certificate:s3_pkt.c:1086:SSL alert number 42:
---
If anyone has experience with the use of Subject Alternative Name with
their certificates any info would greatly be appreciated, or any
additional info regarding the "SSL alert number 42" that I am seeing.
If you create server certificates with openssl just add to openssl.cnf
...
[ usr_cert ]
...
subjectAltName=DNS:localhost,DNS:smtp2.example.com,DNS:smtp3.example.com
...
and create and sign an appropriate server certificate.
-Dieter
I believe I have solved my problem. I was having issues with the mail
client and the public CA cert, as well as making sure that CA cert was
also in the file specified by smtpd_tls_CAfile.
After taking care of both I am now successfully sending using a server
name that is included in the list of Subject Alt. Name of the
self-signed certificate.
Looks like it was more along the lines of allowing them to trust the
self-signed cert more than anything.
Clay
