Re: Javamail connection

Tue, 22 Dec 2020 09:52:33 -0800 

On Tue, Dec 22, 2020 at 10:57:48AM -0500, James B. Byrne wrote:

> Dec 22 10:10:08 mx32 postfix-p25/smtpd[12694]: SSL_accept:SSLv3/TLS read 
> client hello
> Dec 22 10:10:08 mx32 postfix-p25/smtpd[12694]: SSL_accept:SSLv3/TLS write 
> server hello
> Dec 22 10:10:08 mx32 postfix-p25/smtpd[12694]: SSL_accept:SSLv3/TLS write 
> change cipher spec
> Dec 22 10:10:08 mx32 postfix-p25/smtpd[12694]: SSL_accept:TLSv1.3 write 
> encrypted extensions
> Dec 22 10:10:08 mx32 postfix-p25/smtpd[12694]: SSL_accept:SSLv3/TLS write 
> certificate
> Dec 22 10:10:08 mx32 postfix-p25/smtpd[12694]: SSL_accept:TLSv1.3 write 
> server certificate verify
> Dec 22 10:10:08 mx32 postfix-p25/smtpd[12694]: SSL_accept:SSLv3/TLS write 
> finished
> Dec 22 10:10:08 mx32 postfix-p25/smtpd[12694]: SSL_accept:TLSv1.3 early data
> Dec 22 10:10:08 mx32 postfix-p25/smtpd[12694]: SSL3 alert 
> read:fatal:certificate unknown
> Dec 22 10:10:08 mx32 postfix-p25/smtpd[12694]: SSL_accept:error in error
> Dec 22 10:10:08 mx32 postfix-p25/smtpd[12694]: SSL_accept error from 
> accounting-2.internal.harte-lyne.ca[192.168.216.88]: -1
> Dec 22 10:10:08 mx32 postfix-p25/smtpd[12694]: warning: TLS library problem: 
> error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
> unknown:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert 
> number 46:
>
> It appears to me that the client is insisting on SSLv3 but that Postfix is
> looking for or replying with TLSv1.3.  Would that cause a problem with the
> certificate being recognised by the client?

As I already explained, OpenSSL logs all TLS protocol versions that are
SSLv3 or later via code that handles these protocols *generically*, so
there is fact no SSLv3 going on here.  Neither the client nor the server
are actually attempting to do SSLv3 as such.  In fact the client offers
TLSv1.3 and the server reciprocates.

The *ONLY* problem is that the client is not configured to trust the
server's certificates.  The only way to solve the problem is to accept
this as a fact, and not get distracted looking for unrelated issues.

This means that the client's Java trust store does not include the
issuer CA of the server certificate, and/or perhaps the server's
chain is incomplete (missing intermediate certificates).

It is not productive to get distracted by protocol versions, ...

-- 
    Viktor.

Reply via email to