On Fri, Feb 07, 2014 at 10:40:37PM +0000, Alan Munday wrote:
> > Usually, the CA certificate is created using a different extension
> > section (not "usr_cert"). You then have "CA:FALSE" in "usr_cert",
> > and "CA:TRUE" in the CA extension section.
>
> I'll try this.
Should not be too hard. In your case, as I suggested upstream, a
simple self-signed certificate with no issuing CA is quite sufficient:
Assuming a suitable private key in key.pem, a self-signed cert is just
one command:
openssl req -x509 -sha1 -new -key key.pem -out newcert.pem \
-subj "/CN=$(uname -n)" -days 3650
> The ISP suggested taking the MTU down to 1400 and if that did not
> work to try changing the encapsulation type from PPPoA to PPPoE.
> Moving to PPoE was the option that worked.
>
> That was at about 17:00 and I've not seen any TLS establishment
> failures since.
Indeed, looks like you're done. The below is not self-signed, but
nobody cares really. No need to post-pend an issuer CA nobody
trusts to the chain.
$ openssl s_client -showcerts -starttls smtp \
-connect "mx3.brightheadtechnology.com:25" 2>/dev/null |
openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
openssl pkcs7 -print_certs -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
aa:a7:18:c2:d0:a6:8d:40
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GB, ST=Suffolk, O=Brighthead Technology Limited,
OU=Mailserver,
CN=mx3.brightheadtechnology.com/emailAddress=postmas...@brightheadtechnology.com
Validity
Not Before: Feb 7 22:47:21 2014 GMT
Not After : Feb 7 22:47:21 2015 GMT
Subject: C=GB, ST=Suffolk, O=Brighthead Technology Limited,
OU=Mailserver,
CN=mx3.brightheadtechnology.com/emailAddress=postmas...@brightheadtechnology.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c0:5c:d0:93:38:64:1c:7a:86:44:df:16:cb:d8:
6a:93:ce:3c:f1:6a:7b:f9:a0:d5:52:ea:27:3f:81:
83:4f:e1:57:49:f1:c3:96:cd:86:08:60:af:aa:26:
58:34:32:91:45:41:b6:b9:09:29:50:17:2c:2b:90:
88:8d:c7:a7:8c:30:8b:ed:3e:03:d1:d6:e9:ac:4e:
57:d8:56:49:3c:50:c8:c1:10:72:ac:83:3d:08:74:
54:2b:69:79:d0:30:73:e4:b7:75:4d:46:6f:d6:09:
53:3d:50:aa:ab:c8:43:b9:be:1d:0e:46:70:09:fb:
f3:aa:93:64:1e:63:de:4e:75:70:64:72:d7:23:41:
3d:db:99:75:38:c5:6a:cd:92:73:8d:57:9b:e6:01:
e3:66:a3:27:56:67:c7:8b:b8:8f:ca:64:b5:bf:57:
30:d7:04:f8:22:72:b1:26:c9:66:de:1a:65:bf:ac:
6e:c5:06:c9:4d:de:41:10:83:01:2d:49:1b:fc:ad:
8f:d6:87:d1:94:0a:2b:6d:7d:1f:c1:9f:3a:d3:7b:
40:06:a3:f0:94:a1:e8:3f:dd:e7:4b:10:af:51:ef:
ae:f2:bb:85:0b:de:42:78:fb:e3:1f:ec:a9:1d:d7:
79:aa:b8:b2:43:5c:50:ea:24:a1:e0:eb:0c:88:69:
ba:f3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EC:13:5F:DC:48:44:72:8C:F1:E1:84:C0:C0:58:46:B9:CF:C8:03:64
X509v3 Authority Key Identifier:
keyid:F3:4C:36:F3:3F:B4:3A:8B:12:AF:2B:DE:37:2E:10:55:9A:6A:5C:A6
Signature Algorithm: sha1WithRSAEncryption
83:ff:72:0e:35:98:72:1f:3d:40:73:52:dd:52:c9:bd:40:2f:
c8:23:d8:9f:5d:13:95:a9:71:05:09:28:46:1c:4f:77:e5:83:
10:ca:a5:b0:c5:fa:4a:97:5e:e4:bf:2d:c8:60:69:48:ab:0d:
f8:6c:9b:58:28:a9:ac:3e:c6:74:e8:3b:af:ce:ee:ab:93:f2:
d6:41:15:74:47:ac:2c:00:cf:fd:7e:5e:64:30:57:b6:cd:26:
9c:88:54:6b:2a:9a:66:db:af:27:e9:94:f0:c9:ec:c4:76:e1:
1f:a5:a3:f9:d9:a2:09:58:c1:e9:bb:ec:f2:56:e8:9f:c2:83:
52:63:d9:24:d4:cb:44:46:30:f2:2b:67:5e:22:e6:cb:ee:61:
b6:66:07:88:d7:08:ea:df:50:94:6d:a9:4e:d3:09:38:11:33:
84:9c:1f:1c:17:76:bb:62:e8:5d:13:c3:f5:f5:f7:86:29:24:
bb:46:48:1a:aa:d3:88:1e:06:d0:43:2c:d6:cb:ac:a3:5a:8c:
db:cc:d5:c7:ee:9c:48:c8:96:69:96:49:d6:0e:0b:42:10:df:
d4:03:c6:ca:ee:f5:9e:e2:70:a9:c7:4b:5b:30:21:86:8f:fd:
61:ac:54:05:e6:f1:9c:c5:18:05:b9:5f:f6:ed:55:5e:b9:b1:
af:c5:5f:21
-----BEGIN CERTIFICATE-----
MIIEbjCCA1agAwIBAgIJAKqnGMLQpo1AMA0GCSqGSIb3DQEBBQUAMIG3MQswCQYD
VQQGEwJHQjEQMA4GA1UECAwHU3VmZm9sazEmMCQGA1UECgwdQnJpZ2h0aGVhZCBU
ZWNobm9sb2d5IExpbWl0ZWQxEzARBgNVBAsMCk1haWxzZXJ2ZXIxJTAjBgNVBAMM
HG14My5icmlnaHRoZWFkdGVjaG5vbG9neS5jb20xMjAwBgkqhkiG9w0BCQEWI3Bv
c3RtYXN0ZXJAYnJpZ2h0aGVhZHRlY2hub2xvZ3kuY29tMB4XDTE0MDIwNzIyNDcy
MVoXDTE1MDIwNzIyNDcyMVowgbcxCzAJBgNVBAYTAkdCMRAwDgYDVQQIDAdTdWZm
b2xrMSYwJAYDVQQKDB1CcmlnaHRoZWFkIFRlY2hub2xvZ3kgTGltaXRlZDETMBEG
A1UECwwKTWFpbHNlcnZlcjElMCMGA1UEAwwcbXgzLmJyaWdodGhlYWR0ZWNobm9s
b2d5LmNvbTEyMDAGCSqGSIb3DQEJARYjcG9zdG1hc3RlckBicmlnaHRoZWFkdGVj
aG5vbG9neS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAXNCT
OGQceoZE3xbL2GqTzjzxanv5oNVS6ic/gYNP4VdJ8cOWzYYIYK+qJlg0MpFFQba5
CSlQFywrkIiNx6eMMIvtPgPR1umsTlfYVkk8UMjBEHKsgz0IdFQraXnQMHPkt3VN
Rm/WCVM9UKqryEO5vh0ORnAJ+/Oqk2QeY95OdXBkctcjQT3bmXU4xWrNknONV5vm
AeNmoydWZ8eLuI/KZLW/VzDXBPgicrEmyWbeGmW/rG7FBslN3kEQgwEtSRv8rY/W
h9GUCittfR/BnzrTe0AGo/CUoeg/3edLEK9R767yu4UL3kJ4++Mf7Kkd13mquLJD
XFDqJKHg6wyIabrzAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8W
HU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTsE1/cSERy
jPHhhMDAWEa5z8gDZDAfBgNVHSMEGDAWgBTzTDbzP7Q6ixKvK943LhBVmmpcpjAN
BgkqhkiG9w0BAQUFAAOCAQEAg/9yDjWYch89QHNS3VLJvUAvyCPYn10TlalxBQko
RhxPd+WDEMqlsMX6Spde5L8tyGBpSKsN+GybWCiprD7GdOg7r87uq5Py1kEVdEes
LADP/X5eZDBXts0mnIhUayqaZtuvJ+mU8MnsxHbhH6Wj+dmiCVjB6bvs8lbon8KD
UmPZJNTLREYw8itnXiLmy+5htmYHiNcI6t9QlG2pTtMJOBEzhJwfHBd2u2LoXRPD
9fX3hikku0ZIGqrTiB4G0EMs1suso1qM28zVx+6cSMiWaZZJ1g4LQhDf1APGyu71
nuJwqcdLWzAhho/9YaxUBebxnMUYBblf9u1VXrmxr8VfIQ==
-----END CERTIFICATE-----
--
Viktor.
