Re: TLS Library Problem? Postfix 2.9.6

[weber]

Am 2013-02-12 01:07, schrieb Wietse Venema:
we...@zackbummfertig.de:
Feb 11 22:52:52 fallbackhost postfix/smtp[18823]: warning: TLS 
library
problem: 18823:error:04075070:rsa routines:RSA_sign:digest too big 
for
rsa key:rsa_sign.c:127:
Feb 11 22:52:52 fallbackhost postfix/smtp[18823]: warning: TLS 
library
problem: 18823:error:14099006:SSL 
routines:SSL3_SEND_CLIENT_VERIFY:EVP
lib:s3_clnt.c:2983:

The TLS library (i.e. OpenSSL) is not part of Postfix, so this may
be the wrong mailing list.

What does

    $ openssl s_client -starttls smtp -connect servername:25


openssl s_client -starttls smtp -connect mail.domian.de:25

CONNECTED(00000003)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services 
Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = 
thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/O=mail.domain.de/OU=Go to 
https://www.thawte.com/repository/index.html/OU=Thawte SSL123 
certificate/OU=Domain Validated/CN=mail.domain.de
   i:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
 1 s:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 
2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 
2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting 
cc/OU=Certification Services Division/CN=Thawte Premium Server 
CA/emailAddress=premium-ser...@thawte.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEOjCCAyKgAwIBAgIQSlUaiYoSfpq8Je9tqw4GYDANBgkqhkiG9w0BAQUFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE
b21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3RlIERWIFNTTCBDQTAe
Fw0xMjA2MTMwMDAwMDBaFw0xMzA2MTMyMzU5NTlaMIGwMRgwFgYDVQQKFA9tYWls
LnpiZm1haWwuZGUxOzA5BgNVBAsTMkdvIHRvIGh0dHBzOi8vd3d3LnRoYXd0ZS5j
b20vcmVwb3NpdG9yeS9pbmRleC5odG1sMSIwIAYDVQQLExlUaGF3dGUgU1NMMTIz
IGNlcnRpZmljYXRlMRkwFwYDVQQLExBEb21haW4gVmFsaWRhdGVkMRgwFgYDVQQD
FA9tYWlsLnpiZm1haWwuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDAmiudVoYwLPurkEGr1hcGeCZN54qAAur2Dh+c49nTLwupCJg0CmpCLKbgUob3
wupH7TLyTodGYR3mMaOxiDjVExoiIblR9hDSnvm2pnH3wqbFA8mjiCRrCvdKLQeE
pykUob2wAyIU7ZvD1VJa/WrPLEoBAbsJCu4xMv8GYnLGBld3VFM31dNGCJQt8Y7S
55ICMPKjVrQFNtkRRlCKqZnjpsmtWL/7Tji8qLVc8t8zPjB4oDPmSNhhd8bMjPBj
MAUi5Z1vsxbr40I/pTJ589QK2qcWNwEXXqZ2t6Nn2UoDnNDG/Z8bWmjRty+rThXA
2AJR1h57T8pFf3KgGedrhT1tAgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADA6BgNV
HR8EMzAxMC+gLaArhilodHRwOi8vc3ZyLWR2LWNybC50aGF3dGUuY29tL1RoYXd0
ZURWLmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYIKwYBBQUH
AQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMA0GCSqG
SIb3DQEBBQUAA4IBAQCYg3cdadM1yTaBSqE1AoEZHLq//WuabpkkGIqNUJVzuI7C
XqY5HOoLvuN7JBHJeNnFiZ9oMaVJeflc7FhExhxFF0M+lbpw77ZCVjpsCzYbr64h
Q1xcjxiu9E1tXNzB9VYW3f14fO08+z+ldg+Ip4Thukn1M4VEV2iIKsDjgZKANCMk
rRDVYHV9HjctIYdUv7hSvpOP+IZYyl19QVOPeXwYo1BSUfbf0q61VTnU2U4fXzMC
XmXU1iiTBmyLBp3rpPISIrIFyidZnz3t5DdpTbSG0stAdMdgTT1XI1l3W7Ok/B4V
+EYiEb5JOwXLuXh0h82R7DZo0ZyEL0RxA21EbCup
-----END CERTIFICATE-----
subject=/O=mail.domain.de/OU=Go to 
https://www.thawte.com/repository/index.html/OU=Thawte SSL123 
certificate/OU=Domain Validated/CN=mail.domain.de
issuer=/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
---
Acceptable client certificate CA names
/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
---
SSL handshake has read 4609 bytes and written 504 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 
01A34AF6F2586EFB5FCF8A4860FF9D13607FAE8BF2774587801985C6E5106C13
    Session-ID-ctx:
    Master-Key: 
09925141BD917D5E098A9BB18B8B547C732E6A38564CEEF3DAA18ECE963E24E7767D786E1276A117D13CAB5343C3B87C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - ae 98 22 74 98 e5 42 e3-d5 ab 25 80 bb 1a b6 ab   
.."t..B...%.....
    0010 - 45 fd 31 cb 63 96 1b 7d-44 1e 78 86 15 c5 de 17   
E.1.c..}D.x.....
    0020 - 05 42 1a bb 5b f2 e2 23-4a 63 cb 90 ed e8 a0 ca   
.B..[..#Jc......
    0030 - 54 4e 08 7c c2 14 3a 0a-ad fe 31 89 6b 83 84 86   
TN.|..:...1.k...
    0040 - 91 ce a8 06 7e 30 78 e4-ef e2 7c 7f 96 90 99 d8   
....~0x...|.....
    0050 - ab 51 2a 6d 51 bb 2d 32-da b9 64 ec af 61 06 3a   
.Q*mQ.-2..d..a.:
    0060 - 2f 9b e9 ea f3 23 38 01-7a 6f ed d2 d6 b8 65 8c   
/....#8.zo....e.
    0070 - a7 9d 64 15 ff ca b8 e2-25 87 b0 86 a8 e5 87 97   
..d.....%.......
    0080 - 63 29 ab ac 79 81 1d af-c9 43 fb 09 53 5f 88 4d   
c)..y....C..S_.M
    0090 - a5 da 2e b9 6d 79 c5 c3-61 05 98 ab b6 49 4f 61   
....my..a....IOa
    00a0 - e2 b2 47 30 d8 84 7f 5e-78 a5 b8 d4 2d c1 ac 9a   
..G0...^x...-...

    Compression: 1 (zlib compression)
    Start Time: 1360631194
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 8BITMIME
quit
221 2.0.0 Bye
closed




have to say about this?

        Wietse