SCIENTIFIC-LINUX-DEVEL Archives

January 2013

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: fnal.gov mail server starttls certificates.
From:
David Sommerseth <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Wed, 30 Jan 2013 17:40:31 +0100
Content-Type:
text/plain
Parts/Attachments:
text/plain (102 lines) 
On 30/01/13 17:01, Steven Haigh wrote:
> Hi all,
> 
> I've just been doing some work on verifying SSL certs presented when
> delivering mail using STARTTLS. The servers that run this mailing list
> do a STARTTLS - but seem to present an invalid cert:
> 
> Jan 31 02:49:24 mail postfix/smtpd[3084]: connect from
> mail03v-smtp01.fnal.gov[131.225.199.28]
> Jan 31 02:49:25 mail postfix/smtpd[3084]: setting up TLS connection from
> mail03v-smtp01.fnal.gov[131.225.199.28]
> Jan 31 02:49:26 mail postfix/smtpd[3084]: certificate verification
> failed for mail03v-smtp01.fnal.gov[131.225.199.28]: untrusted issuer
> /C=US/ST=IL/L=Batavia/O=Fermilab/OU=Research/CN=mail03v-smtp01.fnal.gov
> Jan 31 02:49:26 mail postfix/smtpd[3084]:
> mail03v-smtp01.fnal.gov[131.225.199.28]: Untrusted:
> subject_CN=mail03v-smtp01.fnal.gov, issuer=mail03v-smtp01.fnal.gov,
> fingerprint=45:43:48:94:B1:C4:F8:AC:00:C2:EC:93:9E:35:05:BF
> Jan 31 02:49:26 mail postfix/smtpd[3084]: Untrusted TLS connection
> established from mail03v-smtp01.fnal.gov[131.225.199.28]:TLSv1 with
> cipher AES128-SHA (128/128 bits)
> 
> Does anyone know what CA is being used here? None of this really seems
> as it should to me...
 
Seems to be a self-signed certificate ....

------------------------------------------------------------------
$ openssl s_client -showcerts -connect mail03v-smtp01.fnal.gov:25 -starttls smtp
CONNECTED(00000003)
depth=0 C = US, ST = IL, L = Batavia, O = Fermilab, OU = Research, CN = mail03v-smtp01.fnal.gov
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = IL, L = Batavia, O = Fermilab, OU = Research, CN = mail03v-smtp01.fnal.gov
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=IL/L=Batavia/O=Fermilab/OU=Research/CN=mail03v-smtp01.fnal.gov
   i:/C=US/ST=IL/L=Batavia/O=Fermilab/OU=Research/CN=mail03v-smtp01.fnal.gov
-----BEGIN CERTIFICATE-----
MIID/jCCAuagAwIBAgIQTQrSwLcO5r5L+LxAowVsEzANBgkqhkiG9w0BAQUFADB0
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCSUwxEDAOBgNVBAcTB0JhdGF2aWExETAP
BgNVBAoTCEZlcm1pbGFiMREwDwYDVQQLEwhSZXNlYXJjaDEgMB4GA1UEAxMXbWFp
bDAzdi1zbXRwMDEuZm5hbC5nb3YwHhcNMTIwNjE1MjA0MzEwWhcNMTcwNjE1MjA0
MzEwWjB0MQswCQYDVQQGEwJVUzELMAkGA1UECBMCSUwxEDAOBgNVBAcTB0JhdGF2
aWExETAPBgNVBAoTCEZlcm1pbGFiMREwDwYDVQQLEwhSZXNlYXJjaDEgMB4GA1UE
AxMXbWFpbDAzdi1zbXRwMDEuZm5hbC5nb3YwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDhWwK7E+MpCt8v0WSJCMmLdVMqRSMFeWhk5pXAq2HSX5RVDbrX
yVPlP2m8nMxNdzsMI+VMloLtMpnLDlTrONM4MUM5r3zmUpyj85Y2+tBpU25qDGep
MEb2WdauPZ9+gKQ+UcJeTyQDY9cEHbo7toNR1CfGZzeiiEZRjEbFDEqpmJfj2eqn
Ad4QnEi6w6jSeuW2xfgRMKBBcHDxZ9l6QC3ULeS5yul/r258JxnIxt43q5ZmyaW+
Pt1fgWmAceKFJOdLEy05Vo94SE1am58jvr1mqQxcK8S6iX17GGSKSVozsTNb/Rgs
2rCdBdegVF6rcBLSlrUZ0KiiyA/sgS8J2S83AgMBAAGjgYswgYgwDgYDVR0PAQH/
BAQDAgWgMFMGA1UdEQRMMEqCDXNtdHAuZm5hbC5nb3aCEGV4LXNtdHAuZm5hbC5n
b3aCF01BSUwwM1YtU01UUDAxLmZuYWwuZ292gg5NQUlMMDNWLVNNVFAwMTATBgNV
HSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4IB
AQC9Ukbj55P8nKTm2OyIDAb4LQGxuiqxqc/NsuyFIi4pGRRU2nf0VfzBVmRB2gnS
YVH8WhbiPsxMIACyU42SqUC8yZLHsXnp2cNK2d96zTraEdDH4Wq3amFsNSNNOwmk
1E/yvid+Ty1xcc2Ob0nqy7S6Wi6zxavKEulZuBQz+fswtUE0ZuPwLTtTahTkmSG+
ZYuTPuJhaTP/X1yBIL6Mw2kOM4zjBvxmD5SG2S91Oxk8cQ2Knpzlu04jJ0m0IJjS
7iESIWRBErvWq3Itd/EQYVZS60mDbvRXM1G8LcJaCIXWZxKK3r0kHEasYhqCVWV3
I60HMVFFYjx1DL8OrU6p1odQ
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=IL/L=Batavia/O=Fermilab/OU=Research/CN=mail03v-smtp01.fnal.gov
issuer=/C=US/ST=IL/L=Batavia/O=Fermilab/OU=Research/CN=mail03v-smtp01.fnal.gov
---
No client certificate CA names sent
---
SSL handshake has read 1560 bytes and written 474 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 
    Verify return code: 21 (unable to verify the first certificate)
---
250 XSHADOW
QUIT
DONE
------------------------------------------------------------------


--
kind regards

David Sommerseth

ATOM RSS1 RSS2