Loading ...
Sorry, an error occurred while loading the content.

291315Re: TLS Library Problem? Postfix 2.9.6

Expand Messages
  • Viktor Dukhovni
    Feb 12, 2013
      On Tue, Feb 12, 2013 at 09:22:55AM +0100, weber@... wrote:

      > I checked the certificate with:
      > $ openssl x509 -in cert.pem -text -noout
      > and voila, 512 bit like you said.

      Do you know how you accidentally ended-up with a 512-bit RSA key?
      [ Did you use the snake-oil key-pair included with the O/S? ]

      > >You can retry the s_client command with the same client certificate
      > >configured with Postfix,
      > >
      > > $ openssl s_client \
      > > -cert clientcert.pem -key clientkey.pem \
      > > -state -starttls smtp -connect mail.zbfmail.de:25
      > >
      > >I'm only able to reproduce your problem when I generate and use an
      > >insecure 512-bit RSA client certificate (not a good plan).
      > >
      > > SSL_connect:SSLv3 write client key exchange A
      > > SSL_connect:error in SSLv3 write certificate verify A
      > > SSL_connect:error in SSLv3 write certificate verify A
      > > 140735152091612:error:04075070:rsa routines:RSA_sign:digest too
      > >big for rsa key:rsa_sign.c:127:
      > > 140735152091612:error:14099006:SSL
      > >routines:SSL3_SEND_CLIENT_VERIFY:EVP lib:s3_clnt.c:2983:

      If anyone else runs into similar trouble in the future, when testing
      with "openssl s_client" compare apples-to-apples by providing the
      same settings to s_client as to Postfix. For greater generality
      also specify the same CApath and CAfile.

      With the just released Postfix 2.10 it is easy to script the right
      s_client invocation:

      #! /bin/sh

      usage() { echo "Usage: $0 [-h] [-g gateway] [-p port]" >&2; exit 1; }

      gateway=$(uname -n)

      while getopts "hg:p:" arg
      case $arg in
      g) gateway="$OPTARG";;
      p) port="$OPTARG";;
      *) usage;;

      set -- -state -showcerts -starttls smtp -connect "$gateway:$port"
      while read f p; do
      v=$(postconf -hx "$p")
      [ -n "$v" ] && set -- "-$f" "$v" "$@"
      done <<EOF
      key smtp_tls_key_file
      cert smtp_tls_cert_file
      CApath smtp_tls_CApath
      CAfile smtp_tls_CAfile

      openssl s_client "$@"

      When debugging TLS-library errors with connections to remote servers,
      you can quickly eliminate the local Postfix client as the culprit
      if s_client exhibits the same symptoms. Perhaps we should ship a script
      of this sort in the auxiliary/ directory of the Postfix distribution.

      > >Just relax and set:
      > >
      > > main.cf:
      > > smtp_tls_cert_file =
      > > smtp_tls_key_file =
      > >
      > >as documented in:
      > >
      > > http://www.postfix.org/TLS_README.html#client_cert_key

      Do you really need a client certificate? Is the relay configured
      with a set of trusted client certificates? You should make sure
      that the 512-bit cert is no longer trusted by the relay.

      If client certificates are not required, don't use them.

    • Show all 8 messages in this topic