SSL_accept error

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

SSL_accept error

Pietro Romanazzi
On postfix 2.5.7 running on Red Hat Enterprise Linux AS release 4 (Nahant Update 8) I've
got the following error message:

Dec 15 12:09:56 lin2a postfix/smtpd[14097]: connect from[]
Dec 15 12:09:56 lin2a postfix/smtpd[14097]: setting up TLS connection from[]
Dec 15 12:09:57 lin2a postfix/smtpd[14097]: SSL_accept error from[]: 0
Dec 15 12:09:57 lin2a postfix/smtpd[14097]: warning: TLS library problem:
14097:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48:
Dec 15 12:09:57 lin2a postfix/smtpd[14097]: lost connection after STARTTLS from[]
Dec 15 12:09:57 lin2a postfix/smtpd[14097]: disconnect from[]

in there are the following lines concerning TLS

smtp_tls_CAfile =
smtp_tls_CApath = /etc/postfix/secure
smtp_tls_cert_file =
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_enforce_peername = yes
smtp_tls_fingerprint_digest = md5
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps =
smtp_tls_scert_verifydepth = 9
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level = may
smtp_tls_session_cache_database = 
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop

smtpd_tls_auth_only = no
smtpd_tls_ask_ccert = no
smtpd_tls_CAfile = /etc/postfix/secure/UTNAddTrustSGCCA.pem
smtpd_tls_CApath = /etc/postfix/secure
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = /etc/postfix/secure/dns1_rupar_puglia_it.pem
smtpd_tls_fingerprint_digest = md5
smtpd_tls_key_file = /etc/postfix/secure/dns1-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = 
smtpd_tls_session_cache_timeout = 3600s

I've put into /etc/postfix/secure the CA cerificate of the peer and I've c_rehash(ed) the

With OpenSSL (simulating the opposite flow) I have the following:

[schemas@lin2a ~]$ openssl s_client -connect -starttls smtp -CApath
depth=1 /C=IT/ST=Italy/L=Milan/O=Fastweb S.p.A./OU=Webfarm/CN=CA Fastweb
verify return:1
depth=0 /C=IT/ST=Milano/L=Milano/O=FASTWEB SPA/OU=aa002pec.smtpout.fastweb-
verify return:1
Certificate chain
 0 s:/C=IT/ST=Milano/L=Milano/O=FASTWEB SPA/OU=aa002pec.smtpout.fastweb-
   i:/C=IT/ST=Italy/L=Milan/O=Fastweb S.p.A./OU=Webfarm/CN=CA Fastweb
Server certificate
subject=/C=IT/ST=Milano/L=Milano/O=FASTWEB SPA/OU=aa002pec.smtpout.fastweb-
issuer=/C=IT/ST=Italy/L=Milan/O=Fastweb S.p.A./OU=Webfarm/CN=CA Fastweb
No client certificate CA names sent
SSL handshake has read 838 bytes and written 338 bytes
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: F1ED284BAAC70300000000000000000500007274
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1260973553
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
220 ESMTP Service ready

It seems that the certificate is good and the handshake ends with success.

The OpenSSL version is

OpenSSL> version
OpenSSL 0.9.7a Feb 19 2003

discarding EHLO keywords selectively (STARTTLS) with smtpd_discard_ehlo_keyword_address_maps
is NOT a possible solution in this specific context.

Any idea?

Best Regards,

Pietro Romanazzi
InnovaPuglia S.p.a
Centro Tecnico RUPAR Puglia