On 30/01/13 17:01, Steven Haigh wrote: > Hi all, > > I've just been doing some work on verifying SSL certs presented when > delivering mail using STARTTLS. The servers that run this mailing list > do a STARTTLS - but seem to present an invalid cert: > > Jan 31 02:49:24 mail postfix/smtpd[3084]: connect from > mail03v-smtp01.fnal.gov[131.225.199.28] > Jan 31 02:49:25 mail postfix/smtpd[3084]: setting up TLS connection from > mail03v-smtp01.fnal.gov[131.225.199.28] > Jan 31 02:49:26 mail postfix/smtpd[3084]: certificate verification > failed for mail03v-smtp01.fnal.gov[131.225.199.28]: untrusted issuer > /C=US/ST=IL/L=Batavia/O=Fermilab/OU=Research/CN=mail03v-smtp01.fnal.gov > Jan 31 02:49:26 mail postfix/smtpd[3084]: > mail03v-smtp01.fnal.gov[131.225.199.28]: Untrusted: > subject_CN=mail03v-smtp01.fnal.gov, issuer=mail03v-smtp01.fnal.gov, > fingerprint=45:43:48:94:B1:C4:F8:AC:00:C2:EC:93:9E:35:05:BF > Jan 31 02:49:26 mail postfix/smtpd[3084]: Untrusted TLS connection > established from mail03v-smtp01.fnal.gov[131.225.199.28]:TLSv1 with > cipher AES128-SHA (128/128 bits) > > Does anyone know what CA is being used here? None of this really seems > as it should to me... Seems to be a self-signed certificate .... ------------------------------------------------------------------ $ openssl s_client -showcerts -connect mail03v-smtp01.fnal.gov:25 -starttls smtp CONNECTED(00000003) depth=0 C = US, ST = IL, L = Batavia, O = Fermilab, OU = Research, CN = mail03v-smtp01.fnal.gov verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = IL, L = Batavia, O = Fermilab, OU = Research, CN = mail03v-smtp01.fnal.gov verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=IL/L=Batavia/O=Fermilab/OU=Research/CN=mail03v-smtp01.fnal.gov i:/C=US/ST=IL/L=Batavia/O=Fermilab/OU=Research/CN=mail03v-smtp01.fnal.gov -----BEGIN CERTIFICATE----- MIID/jCCAuagAwIBAgIQTQrSwLcO5r5L+LxAowVsEzANBgkqhkiG9w0BAQUFADB0 MQswCQYDVQQGEwJVUzELMAkGA1UECBMCSUwxEDAOBgNVBAcTB0JhdGF2aWExETAP BgNVBAoTCEZlcm1pbGFiMREwDwYDVQQLEwhSZXNlYXJjaDEgMB4GA1UEAxMXbWFp bDAzdi1zbXRwMDEuZm5hbC5nb3YwHhcNMTIwNjE1MjA0MzEwWhcNMTcwNjE1MjA0 MzEwWjB0MQswCQYDVQQGEwJVUzELMAkGA1UECBMCSUwxEDAOBgNVBAcTB0JhdGF2 aWExETAPBgNVBAoTCEZlcm1pbGFiMREwDwYDVQQLEwhSZXNlYXJjaDEgMB4GA1UE AxMXbWFpbDAzdi1zbXRwMDEuZm5hbC5nb3YwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDhWwK7E+MpCt8v0WSJCMmLdVMqRSMFeWhk5pXAq2HSX5RVDbrX yVPlP2m8nMxNdzsMI+VMloLtMpnLDlTrONM4MUM5r3zmUpyj85Y2+tBpU25qDGep MEb2WdauPZ9+gKQ+UcJeTyQDY9cEHbo7toNR1CfGZzeiiEZRjEbFDEqpmJfj2eqn Ad4QnEi6w6jSeuW2xfgRMKBBcHDxZ9l6QC3ULeS5yul/r258JxnIxt43q5ZmyaW+ Pt1fgWmAceKFJOdLEy05Vo94SE1am58jvr1mqQxcK8S6iX17GGSKSVozsTNb/Rgs 2rCdBdegVF6rcBLSlrUZ0KiiyA/sgS8J2S83AgMBAAGjgYswgYgwDgYDVR0PAQH/ BAQDAgWgMFMGA1UdEQRMMEqCDXNtdHAuZm5hbC5nb3aCEGV4LXNtdHAuZm5hbC5n b3aCF01BSUwwM1YtU01UUDAxLmZuYWwuZ292gg5NQUlMMDNWLVNNVFAwMTATBgNV HSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4IB AQC9Ukbj55P8nKTm2OyIDAb4LQGxuiqxqc/NsuyFIi4pGRRU2nf0VfzBVmRB2gnS YVH8WhbiPsxMIACyU42SqUC8yZLHsXnp2cNK2d96zTraEdDH4Wq3amFsNSNNOwmk 1E/yvid+Ty1xcc2Ob0nqy7S6Wi6zxavKEulZuBQz+fswtUE0ZuPwLTtTahTkmSG+ ZYuTPuJhaTP/X1yBIL6Mw2kOM4zjBvxmD5SG2S91Oxk8cQ2Knpzlu04jJ0m0IJjS 7iESIWRBErvWq3Itd/EQYVZS60mDbvRXM1G8LcJaCIXWZxKK3r0kHEasYhqCVWV3 I60HMVFFYjx1DL8OrU6p1odQ -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=IL/L=Batavia/O=Fermilab/OU=Research/CN=mail03v-smtp01.fnal.gov issuer=/C=US/ST=IL/L=Batavia/O=Fermilab/OU=Research/CN=mail03v-smtp01.fnal.gov --- No client certificate CA names sent --- SSL handshake has read 1560 bytes and written 474 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: Verify return code: 21 (unable to verify the first certificate) --- 250 XSHADOW QUIT DONE ------------------------------------------------------------------ -- kind regards David Sommerseth