On Tue, Feb 12, 2013 at 09:22:55AM +0100, we...@zackbummfertig.de wrote:
> I checked the certificate with:
>
> $ openssl x509 -in cert.pem -text -noout
>
> and voila, 512 bit like you said.
Do you know how you accidentally ended-up with a 512-bit RSA key?
[ Did you use the snake-oil key-pair included with the O/S? ]
> >You can retry the s_client command with the same client certificate
> >configured with Postfix,
> >
> > $ openssl s_client \
> > -cert clientcert.pem -key clientkey.pem \
> > -state -starttls smtp -connect mail.zbfmail.de:25
> >
> >I'm only able to reproduce your problem when I generate and use an
> >insecure 512-bit RSA client certificate (not a good plan).
> >
> > SSL_connect:SSLv3 write client key exchange A
> > SSL_connect:error in SSLv3 write certificate verify A
> > SSL_connect:error in SSLv3 write certificate verify A
> > 140735152091612:error:04075070:rsa routines:RSA_sign:digest too
> >big for rsa key:rsa_sign.c:127:
> > 140735152091612:error:14099006:SSL
> >routines:SSL3_SEND_CLIENT_VERIFY:EVP lib:s3_clnt.c:2983:
If anyone else runs into similar trouble in the future, when testing
with "openssl s_client" compare apples-to-apples by providing the
same settings to s_client as to Postfix. For greater generality
also specify the same CApath and CAfile.
With the just released Postfix 2.10 it is easy to script the right
s_client invocation:
#! /bin/sh
usage() { echo "Usage: $0 [-h] [-g gateway] [-p port]" >&2; exit 1; }
gateway=$(uname -n)
port=25
while getopts "hg:p:" arg
do
case $arg in
g) gateway="$OPTARG";;
p) port="$OPTARG";;
*) usage;;
esac
done
set -- -state -showcerts -starttls smtp -connect "$gateway:$port"
while read f p; do
v=$(postconf -hx "$p")
[ -n "$v" ] && set -- "-$f" "$v" "$@"
done <<EOF
key smtp_tls_key_file
cert smtp_tls_cert_file
CApath smtp_tls_CApath
CAfile smtp_tls_CAfile
EOF
openssl s_client "$@"
When debugging TLS-library errors with connections to remote servers,
you can quickly eliminate the local Postfix client as the culprit
if s_client exhibits the same symptoms. Perhaps we should ship a script
of this sort in the auxiliary/ directory of the Postfix distribution.
> >Just relax and set:
> >
> > main.cf:
> > smtp_tls_cert_file =
> > smtp_tls_key_file =
> >
> >as documented in:
> >
> > http://www.postfix.org/TLS_README.html#client_cert_key
Do you really need a client certificate? Is the relay configured
with a set of trusted client certificates? You should make sure
that the 512-bit cert is no longer trusted by the relay.
If client certificates are not required, don't use them.
--
Viktor.
