On Wed, Feb 05, 2014 at 08:28:51PM +0000, Alan Munday wrote:
> Viktor Dukhovni wrote the following on 05/02/14 18:45:
> >On Wed, Feb 05, 2014 at 05:07:27PM +0000, Alan Munday wrote:
> >
> >>Feb 5 16:01:21 mx1 postfix/smtpd[22789]:
> >> Anonymous TLS connection established
> >> from mail-db3lp0084.outbound.protection.outlook.com[213.199.154.84]:
> >> TLSv1 with cipher AES128-SHA (128/128 bits)
> >>Feb 5 16:01:21 mx1 postfix/smtpd[22789]:
> >> lost connection after EHLO
> >> from mail-db3lp0084.outbound.protection.outlook.com[213.199.154.84]
> >
> >Your certificate chain on mx1 is somewhat unusual, the issuer CA
> >certificate has "CA:FALSE" in basic constraints:
>
> And re-creating the certificates with CA:TRUE in the [ usr_cert ]
> section of openssl.cnf appears to resolve the problem.
Now for the record your leaf certificate is also a CA, which is
harmless I imagine, but keep that in mind if you run into problems
with some other nitpicky implementation.
You're probably better off with just a self-signed cert with CA:FALSE
and no issuer CA. (Basically your original issuer CA was a perfectly
good leaf server certificate).
And of course mx3 is still broken, STARTTLS hangs, because it is
unable to transmit the server SSL HELLO + certificate, likely due
to path MTU or other network layer issues.
--
Viktor.
