Le 14/04/2013 19:46, Viktor Dukhovni a écrit :
On Sun, Apr 14, 2013 at 06:31:48PM +0000, Joan Moreau wrote:
Ok, I have now proper install of postfix / openssl / cyrsus / etc... I
still get : 2013-04-14T20:29:45.074096+02:00 server
postfix/smtpd[12926]: warning: TLS library problem:
12926:error:1409D08A:SSL routines:SSL3_SETUP_KEY_BLOCK:cipher or hash
unavailable:s3_enc.c:402: 2013-04-14T20:29:45.074367+02:00 server
postfix/smtpd[12926]: lost connection after CONNECT from
unknown[41.137.65.121] 2013-04-14T20:29:45.074390+02:00 server
postfix/smtpd[12926]: disconnect from unknown[41.137.65.121] What shall
I do to fix this ?
Use a different O/S that ships working libraries. You test with:
If Postfix is 2.10 or later, test via:
$ openssl s_server
-key $(postconf -xh smtpd_tls_key_file)
-cert $(postconf -xh smtpd_tls_cert_file)
-accept 12345 > server.out 2>&1 &
$ openssl s_client -state -connect 127.0.0.1:12345 2>&1 | tee
client.out
(otherwise type the correct paths for -key and -cert). Do openssl's
s_client and s_server manage to complete an SSH handshake? Post
the output of "openssl version -a" as well as server.out and
client.out.
Ok, here it is below
client.out :
# openssl s_client -state -connect 127.0.0.1:12345 2>&1 | tee client.out
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN =
grosjo.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN =
grosjo.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN =
grosjo.net
verify error:num=21:unable to verify the first certificate
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
CONNECTED(00000003)
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net
i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE1zCCA7+gAwIBAgIRAKEFB6KnYccTgVUT3bw3RGYwDQYJKoZIhvcNAQEFBQAw
QTELMAkGA1UEBhMCRlIxEjAQBgNVBAoTCUdBTkRJIFNBUzEeMBwGA1UEAxMVR2Fu
ZGkgU3RhbmRhcmQgU1NMIENBMB4XDTEyMTIwODAwMDAwMFoXDTEzMTIxMTIzNTk1
OVowVTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRswGQYDVQQL
ExJHYW5kaSBTdGFuZGFyZCBTU0wxEzARBgNVBAMTCmdyb3Nqby5uZXQwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiKO6Pk90QKVi1qFMLY6XLy6PR5H/w
JKxqtNuEDSXbIMA5Y5LAsGRL90Ew0MMq47Uazu6Sdc8axT91TwPhPEbiTl2tFjto
aNXLvziCDNFzA9jtuCJ2T7gZcUx1bbJamJPsBYGmR6MbNUNHFqhtyiyomRYAIFYN
oFGANj1xJrO8hYQVw4LUYf8BX7OjbUmZrWI1JF3dJhFapL0dgQchwypuBJ20fM6C
NeHn+NL7bbZb9KAfgPn+nAmVyqqwBCLfHCxYB17sJE05A9kYdkplaZST6oYzDtkM
/zJvNxPsPyHLlIUp1R/qwynWIH2Fwx3ASs6CmETLN3tNEZe0RDs06S2PAgMBAAGj
ggG0MIIBsDAfBgNVHSMEGDAWgBS2qP+iqC/Qps1LsWjz51AQMad5ITAdBgNVHQ4E
FgQU6hNXUs/gyQfRDyDB7VR9E/DIGpYwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGAGA1UdIARZMFcw
SwYLKwYBBAGyMQECAhowPDA6BggrBgEFBQcCARYuaHR0cDovL3d3dy5nYW5kaS5u
ZXQvY29udHJhY3RzL2ZyL3NzbC9jcHMvcGRmLzAIBgZngQwBAgEwPAYDVR0fBDUw
MzAxoC+gLYYraHR0cDovL2NybC5nYW5kaS5uZXQvR2FuZGlTdGFuZGFyZFNTTENB
LmNybDBqBggrBgEFBQcBAQReMFwwNwYIKwYBBQUHMAKGK2h0dHA6Ly9jcnQuZ2Fu
ZGkubmV0L0dhbmRpU3RhbmRhcmRTU0xDQS5jcnQwIQYIKwYBBQUHMAGGFWh0dHA6
Ly9vY3NwLmdhbmRpLm5ldDAlBgNVHREEHjAcggpncm9zam8ubmV0gg53d3cuZ3Jv
c2pvLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEARgrw0G7BqzKg7KWYP0mbLEKevI5A
6aNsoxbvu9mQoKVRdF2T3qOeJtp94djI9MMVNCxfOOZukp/W5e/6vkf/3K+UQUBZ
TpVn5RxZlt5d4SOdBdXTNRmLQgGryTBVkzQvZZOHs+K5OgHGs2pPcUQcpBiZ1Vbi
cB/V/Z9lFfStouNzUigSrqH2fUzakiCFfplerdmgKiZeNyCgF4EmEFHbTmbn3L4y
puReKLl87tnZgtqxKeNjsrm+6/KLc0qZs2rZtprQ9UGKNZXRW0fzC7DFB/kC+AoX
aNrCILvl6KKvIe04MKimkkB9HwN4hY9vb4hGYX2qqn5ihFgZEg6gyc3rzA==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net
issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1911 bytes and written 457 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
4161F3711191453349D083CBAF8AD804161865478A36D4C60C260E5E5DDCF543
Session-ID-ctx:
Master-Key:
0F72DD0AEDBDCBCBB5DA9AE7B30E95D19896A4DAB03883416AA8F9B41708B43CDBD485BF323009979426AB58DF3AA2C2
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 20 1e 4e 9e 57 0e 13 f7-b1 c9 50 65 81 50 ff 71
.N.W.....Pe.P.q
0010 - 85 02 93 6c 86 2e 8c 45-de 03 da 2b cf 79 6c 80
...l...E...+.yl.
0020 - f1 e8 57 5c 74 b5 0c cd-1c d2 58 e8 aa 6e 59 c4
..W\t.....X..nY.
0030 - 09 83 f3 c2 f0 8a 55 da-c6 1f 45 70 fb e5 1a f0
......U...Ep....
0040 - 71 49 b0 8a 3a 4e 02 97-42 c6 59 3a d4 af 2b 91
qI..:N..B.Y:..+.
0050 - f0 bb 51 69 0e e1 19 44-05 e6 c3 03 77 e2 ab e7
..Qi...D....w...
0060 - 39 ce bc a0 5a 1d 6c c1-50 55 b5 a4 f4 74 55 70
9...Z.l.PU...tUp
0070 - 5c 94 7e 42 05 6e 6f a0-72 8d a5 ef 27 76 eb e3
\.~B.no.r...'v..
0080 - 40 bf 3a ad 7a 8f 15 56-23 c6 9d ac b8 db 25 56
@.:.z..V#.....%V
0090 - 10 5a ee a5 76 7b b9 57-98 6f 51 d2 7a 14 d2 67
.Z..v{.W.oQ.z..g
Compression: 1 (zlib compression)
Start Time: 1365972406
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
server.out
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
