On Fri, Jun 14, 2013 at 12:24:39PM +0200, Jan P. Kessler wrote:
> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
> mail.info] mail.dgverlag.de[145.253.80.6]: Untrusted:
> subject_CN=DGVDEX.DGVERLAG.DE, issuer=VR IDENT SSL CA 2011,
> fingerprint=3D:5A:B2:71:E2:62:07:88:E5:68:BC:AB:85:9A:55:6D
Certificate details:
$ openssl x509 -md5 -fingerprint -text -in cert.pem
MD5 Fingerprint=3D:5A:B2:71:E2:62:07:88:E5:68:BC:AB:85:9A:55:6D
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 162 (0xa2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, O=GAD EG, OU=VR IDENT, CN=VR IDENT SSL CA 2011
Validity
Not Before: Jul 13 11:18:43 2012 GMT
Not After : Aug 13 21:59:59 2013 GMT
Subject: C=DE, ST=HESSEN, L=WIESBADEN, O=DEUTSCHER
GENOSSENSCHAFTS-VERLAG EG, OU=ORGANISATION, CN=DGVDEX.DGVERLAG.DE
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f8:88:4e:bc:7d:3d:73:a7:72:a2:5b:5c:bc:0a:
cf:44:10:15:d8:3d:93:1a:35:0d:5f:33:e8:11:53:
d0:98:ff:65:89:76:bc:18:d9:0a:62:cb:a5:46:c6:
70:43:aa:6e:11:1a:e8:85:93:51:1f:49:68:c3:72:
a8:cd:2f:b3:2d:63:ce:63:67:65:e5:00:5d:4e:8f:
75:56:f3:83:df:ec:84:05:1e:3b:1c:fd:49:97:a7:
22:a9:59:65:f1:74:e3:d5:ce:90:ef:f2:c4:ea:25:
6b:a7:e8:9e:2c:9a:a8:76:a7:b4:9a:54:e8:b3:56:
15:ab:8c:7a:c3:33:62:f2:9c:98:16:35:62:ff:c5:
00:19:06:bd:a2:59:41:40:69:6b:26:e8:c3:86:d0:
c0:ed:b0:4e:06:8e:d2:64:7e:2e:cf:03:6b:a9:62:
c1:01:fd:7b:d9:1c:48:03:87:35:10:17:9b:0b:f4:
33:98:6d:fe:ea:02:1d:f0:74:1d:e4:b9:be:6d:14:
be:61:f0:5f:82:ea:e8:f8:fe:90:84:ed:ac:a3:a3:
b9:5c:26:07:e5:68:64:5f:63:69:43:99:9d:ab:cd:
a8:26:f6:af:46:32:0a:76:10:2e:b3:a8:e1:bd:63:
9c:56:a5:84:b4:05:cb:11:83:78:73:30:bf:b6:8d:
23:a3
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
OCSP -
URI:http://ocsp.vr-ident.de/gtnocsp/OCSPResponder/VR%20Ident%20SSL%20CA%202011
X509v3 Authority Key Identifier:
keyid:50:52:4F:44:2E:47:54:4E:2E:45:58:53:53:4C:43:41:2E:53:49:47:47:45:4E:52:53:2E:30:30:30:30:32:32:30:30
DirName:/C=DE/O=GAD EG/OU=VR IDENT/CN=VR IDENT EXTERNAL ROOT CA
2011
serial:04
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.vr-ident.de/gtncrl/CRLResponder/VR%20Ident%20SSL%20CA%202011
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
60:1E:93:11:E3:BA:7D:19:A6:88:FB:DD:8E:90:73:50:47:E7:CB:20
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: sha256WithRSAEncryption
9b:c5:33:88:de:38:6b:4f:5c:0f:97:af:d7:18:60:f6:7c:03:
23:2b:38:cf:d7:14:fb:31:25:91:61:63:48:cc:52:26:6e:a9:
3a:a0:8f:a7:98:e8:4a:17:8a:e0:fd:a0:d1:56:92:bd:b6:85:
21:02:0f:1c:95:e0:e7:7a:ad:a5:31:21:e9:4b:5f:4a:e3:bd:
e7:04:64:54:69:fc:6e:c8:9d:28:ef:53:12:ff:57:c0:71:1e:
b7:e8:5a:0a:9d:65:a4:91:2c:1a:d9:36:46:75:c4:56:47:5a:
b3:5c:38:7d:4d:ea:12:64:58:8a:3c:02:07:21:53:cc:10:66:
87:5c:63:99:67:04:c0:70:3e:41:62:3f:6a:c0:93:1e:e5:f3:
53:f2:4c:43:b7:b4:83:8f:81:18:a9:42:f2:76:2e:d0:cc:71:
bc:ca:66:7b:df:75:73:f1:13:0b:ac:98:ae:92:84:a3:b4:52:
53:b2:00:87:de:1e:cf:cb:d5:a3:32:3c:81:5c:fd:54:e9:c8:
70:b4:b8:d0:64:96:8d:d7:4a:46:f7:2b:b4:df:f7:ad:0c:7d:
a6:71:3f:08:7c:7a:a6:9b:c0:38:6c:9b:e6:00:cd:14:4a:bd:
71:6f:c3:a9:87:b9:70:6d:ba:04:59:f1:d8:c7:1d:17:de:6f:
29:e5:3f:1d
-----BEGIN CERTIFICATE-----
MIIFAjCCA+qgAwIBAgICAKIwDQYJKoZIhvcNAQELBQAwUDELMAkGA1UEBhMCREUx
DzANBgNVBAoMBkdBRCBFRzERMA8GA1UECwwIVlIgSURFTlQxHTAbBgNVBAMMFFZS
IElERU5UIFNTTCBDQSAyMDExMB4XDTEyMDcxMzExMTg0M1oXDTEzMDgxMzIxNTk1
OVowgZQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIRVNTRU4xEjAQBgNVBAcMCVdJ
RVNCQURFTjEsMCoGA1UECgwjREVVVFNDSEVSIEdFTk9TU0VOU0NIQUZUUy1WRVJM
QUcgRUcxFTATBgNVBAsMDE9SR0FOSVNBVElPTjEbMBkGA1UEAwwSREdWREVYLkRH
VkVSTEFHLkRFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+IhOvH09
c6dyoltcvArPRBAV2D2TGjUNXzPoEVPQmP9liXa8GNkKYsulRsZwQ6puERrohZNR
H0low3KozS+zLWPOY2dl5QBdTo91VvOD3+yEBR47HP1Jl6ciqVll8XTj1c6Q7/LE
6iVrp+ieLJqodqe0mlTos1YVq4x6wzNi8pyYFjVi/8UAGQa9ollBQGlrJujDhtDA
7bBOBo7SZH4uzwNrqWLBAf172RxIA4c1EBebC/QzmG3+6gId8HQd5Lm+bRS+YfBf
guro+P6QhO2so6O5XCYH5WhkX2NpQ5mdq82oJvavRjIKdhAus6jhvWOcVqWEtAXL
EYN4czC/to0jowIDAQABo4IBnzCCAZswZgYIKwYBBQUHAQEEWjBYMFYGCCsGAQUF
BzABhkpodHRwOi8vb2NzcC52ci1pZGVudC5kZS9ndG5vY3NwL09DU1BSZXNwb25k
ZXIvVlIlMjBJZGVudCUyMFNTTCUyMENBJTIwMjAxMTCBkgYDVR0jBIGKMIGHgCJQ
Uk9ELkdUTi5FWFNTTENBLlNJR0dFTlJTLjAwMDAyMjAwoV6kXDBaMQswCQYDVQQG
EwJERTEPMA0GA1UECgwGR0FEIEVHMREwDwYDVQQLDAhWUiBJREVOVDEnMCUGA1UE
AwweVlIgSURFTlQgRVhURVJOQUwgUk9PVCBDQSAyMDExggEEMFgGA1UdHwRRME8w
TaBLoEmGR2h0dHA6Ly93d3cudnItaWRlbnQuZGUvZ3RuY3JsL0NSTFJlc3BvbmRl
ci9WUiUyMElkZW50JTIwU1NMJTIwQ0ElMjAyMDExMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHQ4EFgQUYB6TEeO6fRmmiPvdjpBzUEfnyyAwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwDQYJKoZIhvcNAQELBQADggEBAJvFM4jeOGtPXA+Xr9cYYPZ8AyMrOM/XFPsx
JZFhY0jMUiZuqTqgj6eY6EoXiuD9oNFWkr22hSECDxyV4Od6raUxIelLX0rjvecE
ZFRp/G7InSjvUxL/V8BxHrfoWgqdZaSRLBrZNkZ1xFZHWrNcOH1N6hJkWIo8Agch
U8wQZodcY5lnBMBwPkFiP2rAkx7l81PyTEO3tIOPgRipQvJ2LtDMcbzKZnvfdXPx
EwusmK6ShKO0UlOyAIfeHs/L1aMyPIFc/VTpyHC0uNBklo3XSkb3K7Tf960MfaZx
Pwh8eqabwDhsm+YAzRRKvXFvw6mHuXBtugRZ8djHHRfebynlPx0=
-----END CERTIFICATE-----
> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
> mail.info] Untrusted TLS connection established from
> mail.dgverlag.de[145.253.80.6]: TLSv1 with cipher RC4-SHA (128/128 bits)
> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 947731
> mail.warning] warning: TLS library problem: 5847:error:0D0C50A1:asn1
> encoding routines:ASN1_item_verify:unknown message digest
> algorithm:a_verify.c:146:
>From above:
Signature Algorithm: sha256WithRSAEncryption
It looks your OpenSSL library does not enable this via
OpenSSL_add_ssl_algorithms().
The use of certificates with signature algorithms other than MD5
and SHA-1 is supposed to be negotiated via TLSv1.2, plain SSLv3/TLSv1
do not have a way to negotiate these, and clients or servers that
use SHA-2 signatures will run into interoperability problems.
> Does the message
>
> TLS library problem: 22673:error:0D0C50A1:asn1 encoding
> routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146
>
> indicate a problem on our side?
A misconfiguration on their side, and lack of support for SHA-2
signatures on your side.
> Please let me know if you need any further information. Below the log
> output with debug_peer_list:
Can you report the output of "ldd /usr/libexec/postfix/smtpd" (smtpd
is in $daemon_directory, adjust as necessary). That will help nail
down the exact OpenSSL version in use. Also report the O/S
distribution and version of the package that contains the libssl
that smtpd depends on.
I would have expected SHA-2 support as of OpenSSL 1.0.0a.
$ git diff OpenSSL_1_0_0..OpenSSL_1_0_0a ssl/ssl_algs.c
diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c
index a26ae43..0967b2d 100644
--- a/ssl/ssl_algs.c
+++ b/ssl/ssl_algs.c
@@ -105,6 +105,14 @@ int SSL_library_init(void)
EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
#endif
+#ifndef OPENSSL_NO_SHA256
+ EVP_add_digest(EVP_sha224());
+ EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+ EVP_add_digest(EVP_sha384());
+ EVP_add_digest(EVP_sha512());
+#endif
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
--
Viktor.
