TLS Encryption and Verification issue

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS Encryption and Verification issue

Deeztek.com Support
I'm having a hard time with verifying certificates of remote servers
when trying to encrypt and verify using TLS.

I'm using ubuntu. Here are the relevant entries in main.cf:

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

For instance, if I set gmail.com as follows in tls_policy:

gmail.com encrypt

that works fine

However, if I set it to:

gmail.com secure

I get the following error:


Nov 21 12:52:19 smtp postfix/smtp[17859]: 9277043E30:
to=<[hidden email]>,
relay=alt4.gmail-smtp-in.l.google.com[74.125.136.26]:25, delay=5.7,
delays=0.05/0.02/5.7/0, dsn=4.7.5, status=deferred (Server certificate
not verified)


I've tried this with two other domains that use 3rd party CAs with the
exact same results.

I would appreciate some help on this

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: TLS Encryption and Verification issue

Wietse Venema
Deeztek Support:
> Nov 21 12:52:19 smtp postfix/smtp[17859]: 9277043E30:
> to=<[hidden email]>,
> relay=alt4.gmail-smtp-in.l.google.com[74.125.136.26]:25, delay=5.7,
> delays=0.05/0.02/5.7/0, dsn=4.7.5, status=deferred (Server certificate
> not verified)

Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

Do you have the root certificate?

Did you tell Postfix what name to expect in the server certificate?
It does not contain the name alt4.gmail-smtp-in.l.google.com.

        Wietse

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6b:bf:ab:8f:0a:de:70:68
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
        Validity
            Not Before: Jul 15 08:56:16 2014 GMT
            Not After : Apr  4 15:15:55 2015 GMT
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=mx.google.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:b5:dd:65:81:9b:ec:67:b2:7a:36:53:7a:c7:44:
                    76:c3:ad:fb:e4:67:34:15:9b:5e:ba:49:47:8a:57:
                    53:a1:74:88:7c:d2:06:83:fa:14:92:f1:ef:9e:6f:
                    28:59:5c:ec:7f:cb:89:c0:0b:74:04:e8:f0:c4:fa:
                    98:f9:49:2d:40:72:8a:f1:10:07:3b:7e:b9:e6:4e:
                    5f:58:8d:71:8c:37:34:46:57:46:3b:44:96:5c:72:
                    62:64:1f:1c:d1:5a:b6:33:40:84:2c:15:a3:d7:ae:
                    c9:89:2e:b7:c0:95:c1:2f:d0:25:c7:02:1e:ce:9f:
                    36:80:fb:15:c5:c9:bb:c5:df:89:14:b6:6a:c2:b0:
                    16:dc:68:b1:7c:47:e7:85:5a:3b:03:5a:78:66:c2:
                    50:e7:13:f2:3c:58:0f:93:67:a7:69:6e:41:9a:1f:
                    54:22:1e:78:73:86:f6:44:4f:ee:c5:03:74:1b:d7:
                    ee:e4:e7:79:eb:59:2e:49:f6:09:04:28:8a:c7:7d:
                    23:84:04:e8:6a:b7:19:13:de:13:d3:24:71:8e:de:
                    ef:5f:82:62:44:dd:51:52:df:cc:86:26:92:68:3f:
                    31:a3:7b:ad:c7:b8:81:30:b3:bd:02:7c:0f:b6:45:
                    d7:81:8a:93:72:21:60:74:93:75:ae:4d:45:40:11:
                    a7:fd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name:
                DNS:aspmx.l.google.com, DNS:alt1.aspmx.l.google.com, DNS:alt2.aspmx.l.google.com, DNS:alt3.aspmx.l.google.com, DNS:alt4.aspmx.l.google.com, DNS:gmail-smtp-in.l.google.com, DNS:alt1.gmail-smtp-in.l.google.com, DNS:alt2.gmail-smtp-in.l.google.com, DNS:alt3.gmail-smtp-in.l.google.com, DNS:alt4.gmail-smtp-in.l.google.com, DNS:gmr-smtp-in.l.google.com, DNS:alt1.gmr-smtp-in.l.google.com, DNS:alt2.gmr-smtp-in.l.google.com, DNS:alt3.gmr-smtp-in.l.google.com, DNS:alt4.gmr-smtp-in.l.google.com, DNS:mx.google.com, DNS:aspmx2.googlemail.com, DNS:aspmx3.googlemail.com, DNS:aspmx4.googlemail.com, DNS:aspmx5.googlemail.com
            Authority Information Access:
                CA Issuers - URI:http://pki.google.com/GIAG2.crt
                OCSP - URI:http://clients1.google.com/ocsp

            X509v3 Subject Key Identifier:
                05:91:EB:C4:E3:50:DF:95:25:05:B7:E0:FE:41:FD:D3:A7:53:2B:86
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
                keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F

            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.11129.2.5.1

            X509v3 CRL Distribution Points:
                URI:http://pki.google.com/GIAG2.crl

    Signature Algorithm: sha1WithRSAEncryption
        71:da:5f:cb:dc:8c:87:83:51:e2:3b:66:ec:c3:e4:93:5d:62:
        2f:cd:66:0d:b4:f2:dc:bf:ec:3b:6a:75:36:b1:14:4e:25:2d:
        54:a8:55:d2:1c:0e:3b:bf:ad:b0:e4:df:77:58:91:d3:b4:14:
        14:28:91:5b:61:93:94:6a:72:e2:0b:e0:5d:d0:25:79:3e:de:
        d6:42:91:22:b0:f8:a7:b3:bd:f7:18:66:a0:a6:da:35:52:06:
        1c:c1:e8:3f:7f:77:76:6a:05:39:5f:8e:cd:d3:23:37:83:53:
        67:0c:af:2a:27:a8:e5:1b:84:ff:33:96:ca:31:6d:f3:d6:ef:
        9c:0a:49:72:99:d8:ea:c1:e8:59:e2:af:8a:80:40:e1:88:82:
        53:f5:35:09:bf:fc:0c:c6:7d:c9:7f:51:91:2a:94:27:48:28:
        b0:89:cc:91:32:a0:1f:4c:2f:2d:03:61:4a:46:d4:61:a4:4f:
        99:ef:45:8c:5a:ef:80:3c:7f:20:59:b3:4b:51:71:da:a4:b0:
        44:95:2e:03:06:cf:77:d7:0e:79:f8:be:79:70:1f:83:d3:31:
        dd:a6:58:0e:53:9b:b3:c9:56:af:08:c0:46:49:7d:1e:91:9d:
        23:85:94:4d:13:30:48:24:ae:7f:9d:67:a6:0c:15:69:af:8f:
        22:25:fd:7e
-----BEGIN CERTIFICATE-----
MIIGhDCCBWygAwIBAgIIa7+rjwrecGgwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNzE1MDg1NjE2WhcNMTUwNDA0MTUxNTU1
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu
Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXdZYGb
7GeyejZTesdEdsOt++RnNBWbXrpJR4pXU6F0iHzSBoP6FJLx755vKFlc7H/LicAL
dATo8MT6mPlJLUByivEQBzt+ueZOX1iNcYw3NEZXRjtEllxyYmQfHNFatjNAhCwV
o9euyYkut8CVwS/QJccCHs6fNoD7FcXJu8XfiRS2asKwFtxosXxH54VaOwNaeGbC
UOcT8jxYD5Nnp2luQZofVCIeeHOG9kRP7sUDdBvX7uTneetZLkn2CQQoisd9I4QE
6Gq3GRPeE9MkcY7e71+CYkTdUVLfzIYmkmg/MaN7rce4gTCzvQJ8D7ZF14GKk3Ih
YHSTda5NRUARp/0CAwEAAaOCA1AwggNMMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjCCAiYGA1UdEQSCAh0wggIZghJhc3BteC5sLmdvb2dsZS5jb22CF2Fs
dDEuYXNwbXgubC5nb29nbGUuY29tghdhbHQyLmFzcG14LmwuZ29vZ2xlLmNvbYIX
YWx0My5hc3BteC5sLmdvb2dsZS5jb22CF2FsdDQuYXNwbXgubC5nb29nbGUuY29t
ghpnbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0MS5nbWFpbC1zbXRwLWlu
LmwuZ29vZ2xlLmNvbYIfYWx0Mi5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIf
YWx0My5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0NC5nbWFpbC1zbXRw
LWluLmwuZ29vZ2xlLmNvbYIYZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQx
Lmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYIdYWx0Mi5nbXItc210cC1pbi5sLmdv
b2dsZS5jb22CHWFsdDMuZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQ0Lmdt
ci1zbXRwLWluLmwuZ29vZ2xlLmNvbYINbXguZ29vZ2xlLmNvbYIVYXNwbXgyLmdv
b2dsZW1haWwuY29tghVhc3BteDMuZ29vZ2xlbWFpbC5jb22CFWFzcG14NC5nb29n
bGVtYWlsLmNvbYIVYXNwbXg1Lmdvb2dsZW1haWwuY29tMGgGCCsGAQUFBwEBBFww
WjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDAr
BggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNV
HQ4EFgQUBZHrxONQ35UlBbfg/kH906dTK4YwDAYDVR0TAQH/BAIwADAfBgNVHSME
GDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisGAQQB1nkC
BQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAcdpfy9yMh4NR4jtm7MPkk11iL81mDbTy
3L/sO2p1NrEUTiUtVKhV0hwOO7+tsOTfd1iR07QUFCiRW2GTlGpy4gvgXdAleT7e
1kKRIrD4p7O99xhmoKbaNVIGHMHoP393dmoFOV+OzdMjN4NTZwyvKieo5RuE/zOW
yjFt89bvnApJcpnY6sHoWeKvioBA4YiCU/U1Cb/8DMZ9yX9RkSqUJ0gosInMkTKg
H0wvLQNhSkbUYaRPme9FjFrvgDx/IFmzS1Fx2qSwRJUuAwbPd9cOefi+eXAfg9Mx
3aZYDlObs8lWrwjARkl9HpGdI4WUTRMwSCSuf51npgwVaa+PIiX9fg==
-----END CERTIFICATE-----
Reply | Threaded
Open this post in threaded view
|

Re: TLS Encryption and Verification issue

Deeztek.com Support

> Certificate chain
>   0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
>     i:/C=US/O=Google Inc/CN=Google Internet Authority G2
>   1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
>     i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>   2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>     i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>
> Do you have the root certificate?

Yes the certificate for Equifax Secure Certificate authority is added in
the /etc/ssl/certs/ca-certificates.crt file

> Did you tell Postfix what name to expect in the server certificate?
> It does not contain the name alt4.gmail-smtp-in.l.google.com.

what do you mean by that? Are you referring to the alternate names on
the cert?



Reply | Threaded
Open this post in threaded view
|

Re: TLS Encryption and Verification issue

Wietse Venema
Deeztek Support:

>
> > Certificate chain
> >   0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
> >     i:/C=US/O=Google Inc/CN=Google Internet Authority G2
> >   1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
> >     i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> >   2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> >     i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> >
> > Do you have the root certificate?
>
> Yes the certificate for Equifax Secure Certificate authority is added in
> the /etc/ssl/certs/ca-certificates.crt file
>
> > Did you tell Postfix what name to expect in the server certificate?
> > It does not contain the name alt4.gmail-smtp-in.l.google.com.
>
> what do you mean by that? Are you referring to the alternate names on
> the cert?

Postfix can match a certificate by common or alternate name, or by
its (public-key) fingerprint.  Either way, Postfix needs to know
what information it should find: some common or alternate name, or
some fingerprint.

So,  "gmail.com secure match=.google.com" might do the trick.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: TLS Encryption and Verification issue

Viktor Dukhovni
In reply to this post by Deeztek.com Support
On Fri, Nov 21, 2014 at 01:42:55PM -0500, Deeztek Support wrote:

>
> >Certificate chain
> >  0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
> >    i:/C=US/O=Google Inc/CN=Google Internet Authority G2
> >  1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
> >    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> >  2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> >    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> >
> >Do you have the root certificate?
>
> Yes the certificate for Equifax Secure Certificate authority is added in the
> /etc/ssl/certs/ca-certificates.crt file

Prove it:

$ cat > issuer.pem <<EOF
 2 subject: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    issuer: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   cert digest=73:59:75:5C:6D:F9:A0:AB:C3:06:0B:CE:36:95:64:C8:EC:45:42:A3
   pkey digest=C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
EOF

$ openssl verify -CAfile /etc/ssl/certs/ca-certificates \
        -purpose crlsign issuer.pem

The relevant "Authority Key Identifier" is:

    48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

> >Did you tell Postfix what name to expect in the server certificate?
> >It does not contain the name alt4.gmail-smtp-in.l.google.com.
>
> what do you mean by that? Are you referring to the alternate names on the
> cert?

The full chain is below my signature.  None of the names in that
certificate match "gmail.com", they're all "google.com" names, with
"mx.google.com" as the most appropriate name for this service.

However, before name checks come in play, you need to configure a
trusted issuer, in your CA file.

--
        Viktor.

posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: aspmx.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt1.aspmx.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt2.aspmx.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt3.aspmx.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt4.aspmx.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: Matched subjectAltName: gmail-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt1.gmail-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt2.gmail-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt3.gmail-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt4.gmail-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: gmr-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt1.gmr-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt2.gmr-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt3.gmr-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt4.gmr-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: mx.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: aspmx2.googlemail.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: aspmx3.googlemail.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: aspmx4.googlemail.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: aspmx5.googlemail.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25 CommonName mx.google.com
posttls-finger: certificate verification failed for gmail-smtp-in.l.google.com[74.125.29.27]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subject_CN=gmail-smtp-in.l.google.com, issuer_CN=Google Internet Authority G2, fingerprint=22:82:B3:79:69:6A:72:15:05:F2:73:FA:1E:6B:BE:36:F0:BA:01:E2, pkey_fingerprint=86:BB:05:08:F2:AF:5F:23:84:9F:BB:78:75:19:28:BF:B4:50:4F:92
posttls-finger: Untrusted TLS connection established to gmail-smtp-in.l.google.com[74.125.29.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

---
Certificate chain
 0 subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
    issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
   cert digest=22:82:B3:79:69:6A:72:15:05:F2:73:FA:1E:6B:BE:36:F0:BA:01:E2
   pkey digest=86:BB:05:08:F2:AF:5F:23:84:9F:BB:78:75:19:28:BF:B4:50:4F:92
-----BEGIN CERTIFICATE-----
MIIGhDCCBWygAwIBAgIIa7+rjwrecGgwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNzE1MDg1NjE2WhcNMTUwNDA0MTUxNTU1
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu
Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXdZYGb
7GeyejZTesdEdsOt++RnNBWbXrpJR4pXU6F0iHzSBoP6FJLx755vKFlc7H/LicAL
dATo8MT6mPlJLUByivEQBzt+ueZOX1iNcYw3NEZXRjtEllxyYmQfHNFatjNAhCwV
o9euyYkut8CVwS/QJccCHs6fNoD7FcXJu8XfiRS2asKwFtxosXxH54VaOwNaeGbC
UOcT8jxYD5Nnp2luQZofVCIeeHOG9kRP7sUDdBvX7uTneetZLkn2CQQoisd9I4QE
6Gq3GRPeE9MkcY7e71+CYkTdUVLfzIYmkmg/MaN7rce4gTCzvQJ8D7ZF14GKk3Ih
YHSTda5NRUARp/0CAwEAAaOCA1AwggNMMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjCCAiYGA1UdEQSCAh0wggIZghJhc3BteC5sLmdvb2dsZS5jb22CF2Fs
dDEuYXNwbXgubC5nb29nbGUuY29tghdhbHQyLmFzcG14LmwuZ29vZ2xlLmNvbYIX
YWx0My5hc3BteC5sLmdvb2dsZS5jb22CF2FsdDQuYXNwbXgubC5nb29nbGUuY29t
ghpnbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0MS5nbWFpbC1zbXRwLWlu
LmwuZ29vZ2xlLmNvbYIfYWx0Mi5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIf
YWx0My5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0NC5nbWFpbC1zbXRw
LWluLmwuZ29vZ2xlLmNvbYIYZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQx
Lmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYIdYWx0Mi5nbXItc210cC1pbi5sLmdv
b2dsZS5jb22CHWFsdDMuZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQ0Lmdt
ci1zbXRwLWluLmwuZ29vZ2xlLmNvbYINbXguZ29vZ2xlLmNvbYIVYXNwbXgyLmdv
b2dsZW1haWwuY29tghVhc3BteDMuZ29vZ2xlbWFpbC5jb22CFWFzcG14NC5nb29n
bGVtYWlsLmNvbYIVYXNwbXg1Lmdvb2dsZW1haWwuY29tMGgGCCsGAQUFBwEBBFww
WjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDAr
BggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNV
HQ4EFgQUBZHrxONQ35UlBbfg/kH906dTK4YwDAYDVR0TAQH/BAIwADAfBgNVHSME
GDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisGAQQB1nkC
BQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAcdpfy9yMh4NR4jtm7MPkk11iL81mDbTy
3L/sO2p1NrEUTiUtVKhV0hwOO7+tsOTfd1iR07QUFCiRW2GTlGpy4gvgXdAleT7e
1kKRIrD4p7O99xhmoKbaNVIGHMHoP393dmoFOV+OzdMjN4NTZwyvKieo5RuE/zOW
yjFt89bvnApJcpnY6sHoWeKvioBA4YiCU/U1Cb/8DMZ9yX9RkSqUJ0gosInMkTKg
H0wvLQNhSkbUYaRPme9FjFrvgDx/IFmzS1Fx2qSwRJUuAwbPd9cOefi+eXAfg9Mx
3aZYDlObs8lWrwjARkl9HpGdI4WUTRMwSCSuf51npgwVaa+PIiX9fg==
-----END CERTIFICATE-----
 1 subject: /C=US/O=Google Inc/CN=Google Internet Authority G2
    issuer: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   cert digest=D8:3C:1A:7F:4D:04:46:BB:20:81:B8:1A:16:70:F8:18:34:51:CA:24
   pkey digest=43:DA:D6:30:EE:53:F8:A9:80:CA:6E:FD:85:F4:6A:A3:79:90:E0:EA
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
-----END CERTIFICATE-----
 2 subject: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    issuer: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   cert digest=73:59:75:5C:6D:F9:A0:AB:C3:06:0B:CE:36:95:64:C8:EC:45:42:A3
   pkey digest=C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
Reply | Threaded
Open this post in threaded view
|

Re: TLS Encryption and Verification issue

Viktor Dukhovni
In reply to this post by Deeztek.com Support
On Fri, Nov 21, 2014 at 12:59:01PM -0500, Deeztek Support wrote:

> I get the following error:
>
> Nov 21 12:52:19 smtp postfix/smtp[17859]: 9277043E30:
> to=<[hidden email]>,
> relay=alt4.gmail-smtp-in.l.google.com[74.125.136.26]:25, delay=5.7,
> delays=0.05/0.02/5.7/0, dsn=4.7.5, status=deferred (Server certificate not
> verified)

You're not showing the log entry for the established connection
from the Postfix TLS library.  This is rather important in this
context.

    # perl collate /var/log/mail.log |
            qid=9277043E30 perl -ne '
                    BEGIN{$/="\n\n";$re=$ENV{qid}}
                    print if m{$re}oi
                    '
 
--
        Viktor.

collate (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS Encryption and Verification issue

A. Schulze

Viktor Dukhovni:

>     # perl collate /var/log/mail.log |
>    qid=9277043E30 perl -ne '
>    BEGIN{$/="\n\n";$re=$ENV{qid}}
>    print if m{$re}oi
>    '

Wow, what a magic script!
Thanks for publishing!

Andreas


Reply | Threaded
Open this post in threaded view
|

Re: TLS Encryption and Verification issue

Deeztek.com Support
In reply to this post by Viktor Dukhovni

>
> Prove it:
>
> $ cat > issuer.pem <<EOF
>   2 subject: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>      issuer: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>     cert digest=73:59:75:5C:6D:F9:A0:AB:C3:06:0B:CE:36:95:64:C8:EC:45:42:A3
>     pkey digest=C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
> -----BEGIN CERTIFICATE-----
> MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
> MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
> aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
> WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
> AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
> CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
> OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
> T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
> JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
> Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
> PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
> aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
> TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
> LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
> BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
> dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
> AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
> NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
> b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
> -----END CERTIFICATE-----
> EOF

I guess I'm confused about something. Below are the relevant entries in
my /etc/ssl/certs/ca-certificates.crt file for google. This was obtained
by running the "openssl s_client -CAfile ca.pem -starttls smtp
-showcerts -connect alt4.gmail-smtp-in.l.google.com:25":

-----BEGIN CERTIFICATE-----
MIIGhDCCBWygAwIBAgIIa7+rjwrecGgwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNzE1MDg1NjE2WhcNMTUwNDA0MTUxNTU1
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu
Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXdZYGb
7GeyejZTesdEdsOt++RnNBWbXrpJR4pXU6F0iHzSBoP6FJLx755vKFlc7H/LicAL
dATo8MT6mPlJLUByivEQBzt+ueZOX1iNcYw3NEZXRjtEllxyYmQfHNFatjNAhCwV
o9euyYkut8CVwS/QJccCHs6fNoD7FcXJu8XfiRS2asKwFtxosXxH54VaOwNaeGbC
UOcT8jxYD5Nnp2luQZofVCIeeHOG9kRP7sUDdBvX7uTneetZLkn2CQQoisd9I4QE
6Gq3GRPeE9MkcY7e71+CYkTdUVLfzIYmkmg/MaN7rce4gTCzvQJ8D7ZF14GKk3Ih
YHSTda5NRUARp/0CAwEAAaOCA1AwggNMMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjCCAiYGA1UdEQSCAh0wggIZghJhc3BteC5sLmdvb2dsZS5jb22CF2Fs
dDEuYXNwbXgubC5nb29nbGUuY29tghdhbHQyLmFzcG14LmwuZ29vZ2xlLmNvbYIX
YWx0My5hc3BteC5sLmdvb2dsZS5jb22CF2FsdDQuYXNwbXgubC5nb29nbGUuY29t
ghpnbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0MS5nbWFpbC1zbXRwLWlu
LmwuZ29vZ2xlLmNvbYIfYWx0Mi5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIf
YWx0My5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0NC5nbWFpbC1zbXRw
LWluLmwuZ29vZ2xlLmNvbYIYZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQx
Lmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYIdYWx0Mi5nbXItc210cC1pbi5sLmdv
b2dsZS5jb22CHWFsdDMuZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQ0Lmdt
ci1zbXRwLWluLmwuZ29vZ2xlLmNvbYINbXguZ29vZ2xlLmNvbYIVYXNwbXgyLmdv
b2dsZW1haWwuY29tghVhc3BteDMuZ29vZ2xlbWFpbC5jb22CFWFzcG14NC5nb29n
bGVtYWlsLmNvbYIVYXNwbXg1Lmdvb2dsZW1haWwuY29tMGgGCCsGAQUFBwEBBFww
WjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDAr
BggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNV
HQ4EFgQUBZHrxONQ35UlBbfg/kH906dTK4YwDAYDVR0TAQH/BAIwADAfBgNVHSME
GDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisGAQQB1nkC
BQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAcdpfy9yMh4NR4jtm7MPkk11iL81mDbTy
3L/sO2p1NrEUTiUtVKhV0hwOO7+tsOTfd1iR07QUFCiRW2GTlGpy4gvgXdAleT7e
1kKRIrD4p7O99xhmoKbaNVIGHMHoP393dmoFOV+OzdMjN4NTZwyvKieo5RuE/zOW
yjFt89bvnApJcpnY6sHoWeKvioBA4YiCU/U1Cb/8DMZ9yX9RkSqUJ0gosInMkTKg
H0wvLQNhSkbUYaRPme9FjFrvgDx/IFmzS1Fx2qSwRJUuAwbPd9cOefi+eXAfg9Mx
3aZYDlObs8lWrwjARkl9HpGdI4WUTRMwSCSuf51npgwVaa+PIiX9fg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----



Reply | Threaded
Open this post in threaded view
|

Re: TLS Encryption and Verification issue

Deeztek.com Support
On 11/21/2014 3:37 PM, Deeztek Support wrote:

>
>>
>> Prove it:
>>
>> $ cat > issuer.pem <<EOF
>>   2 subject: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>>      issuer: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>>     cert
>> digest=73:59:75:5C:6D:F9:A0:AB:C3:06:0B:CE:36:95:64:C8:EC:45:42:A3
>>     pkey
>> digest=C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
>> -----BEGIN CERTIFICATE-----
>> MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
>> MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
>> aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
>> WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
>> AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
>> CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
>> OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
>> T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
>> JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
>> Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
>> PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
>> aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
>> TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
>> LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
>> BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
>> dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
>> AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
>> NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
>> b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
>> -----END CERTIFICATE-----
>> EOF
>
> I guess I'm confused about something. Below are the relevant entries in
> my /etc/ssl/certs/ca-certificates.crt file for google. This was obtained
> by running the "openssl s_client -CAfile ca.pem -starttls smtp
> -showcerts -connect alt4.gmail-smtp-in.l.google.com:25":
>
> -----BEGIN CERTIFICATE-----
> MIIGhDCCBWygAwIBAgIIa7+rjwrecGgwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
> BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
> cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNzE1MDg1NjE2WhcNMTUwNDA0MTUxNTU1
> WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
> TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu
> Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXdZYGb
> 7GeyejZTesdEdsOt++RnNBWbXrpJR4pXU6F0iHzSBoP6FJLx755vKFlc7H/LicAL
> dATo8MT6mPlJLUByivEQBzt+ueZOX1iNcYw3NEZXRjtEllxyYmQfHNFatjNAhCwV
> o9euyYkut8CVwS/QJccCHs6fNoD7FcXJu8XfiRS2asKwFtxosXxH54VaOwNaeGbC
> UOcT8jxYD5Nnp2luQZofVCIeeHOG9kRP7sUDdBvX7uTneetZLkn2CQQoisd9I4QE
> 6Gq3GRPeE9MkcY7e71+CYkTdUVLfzIYmkmg/MaN7rce4gTCzvQJ8D7ZF14GKk3Ih
> YHSTda5NRUARp/0CAwEAAaOCA1AwggNMMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
> BgEFBQcDAjCCAiYGA1UdEQSCAh0wggIZghJhc3BteC5sLmdvb2dsZS5jb22CF2Fs
> dDEuYXNwbXgubC5nb29nbGUuY29tghdhbHQyLmFzcG14LmwuZ29vZ2xlLmNvbYIX
> YWx0My5hc3BteC5sLmdvb2dsZS5jb22CF2FsdDQuYXNwbXgubC5nb29nbGUuY29t
> ghpnbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0MS5nbWFpbC1zbXRwLWlu
> LmwuZ29vZ2xlLmNvbYIfYWx0Mi5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIf
> YWx0My5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0NC5nbWFpbC1zbXRw
> LWluLmwuZ29vZ2xlLmNvbYIYZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQx
> Lmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYIdYWx0Mi5nbXItc210cC1pbi5sLmdv
> b2dsZS5jb22CHWFsdDMuZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQ0Lmdt
> ci1zbXRwLWluLmwuZ29vZ2xlLmNvbYINbXguZ29vZ2xlLmNvbYIVYXNwbXgyLmdv
> b2dsZW1haWwuY29tghVhc3BteDMuZ29vZ2xlbWFpbC5jb22CFWFzcG14NC5nb29n
> bGVtYWlsLmNvbYIVYXNwbXg1Lmdvb2dsZW1haWwuY29tMGgGCCsGAQUFBwEBBFww
> WjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDAr
> BggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNV
> HQ4EFgQUBZHrxONQ35UlBbfg/kH906dTK4YwDAYDVR0TAQH/BAIwADAfBgNVHSME
> GDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisGAQQB1nkC
> BQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
> LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAcdpfy9yMh4NR4jtm7MPkk11iL81mDbTy
> 3L/sO2p1NrEUTiUtVKhV0hwOO7+tsOTfd1iR07QUFCiRW2GTlGpy4gvgXdAleT7e
> 1kKRIrD4p7O99xhmoKbaNVIGHMHoP393dmoFOV+OzdMjN4NTZwyvKieo5RuE/zOW
> yjFt89bvnApJcpnY6sHoWeKvioBA4YiCU/U1Cb/8DMZ9yX9RkSqUJ0gosInMkTKg
> H0wvLQNhSkbUYaRPme9FjFrvgDx/IFmzS1Fx2qSwRJUuAwbPd9cOefi+eXAfg9Mx
> 3aZYDlObs8lWrwjARkl9HpGdI4WUTRMwSCSuf51npgwVaa+PIiX9fg==
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
> MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
> YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
> EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
> bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
> AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
> VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
> h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
> ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
> EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
> DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
> qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
> VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
> K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
> KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
> ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
> BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
> /iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
> zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
> HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
> WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
> yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
> MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
> aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
> WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
> AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
> CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
> OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
> T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
> JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
> Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
> PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
> aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
> TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
> LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
> BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
> dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
> AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
> NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
> b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
> -----END CERTIFICATE-----

Any thoughts on this?


Reply | Threaded
Open this post in threaded view
|

Re: TLS Encryption and Verification issue

Viktor Dukhovni
On Sun, Nov 23, 2014 at 07:23:55AM -0500, Deeztek Support wrote:

> Any thoughts on this?

I have no comment on the irrelevant info I did not ask for.  You
could start by answering the questions I asked in my previous
message.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: TLS Encryption and Verification issue

Deeztek.com Support
On 11/23/2014 2:02 PM, Viktor Dukhovni wrote:
> On Sun, Nov 23, 2014 at 07:23:55AM -0500, Deeztek Support wrote:
>
>> Any thoughts on this?
>
> I have no comment on the irrelevant info I did not ask for.  You
> could start by answering the questions I asked in my previous
> message.
>
is there a requirement to be difficult when someone is asking a very
relevant question just not the way you want the question to be asked.
Did I stumble into Jeopardy and didn't say the magic words "what is?" or
something?

You said:

cat > issuer.pem <<EOF

I don't know what that means. It means absolutely nothing to me seeing
that I have no clue what the "issuer.pem" is and where to get it.

then I said:

I guess I'm confused about something. Below are the relevant entries in
my /etc/ssl/certs/ca-certificates.crt file for google. This was obtained
by running the "openssl s_client -CAfile ca.pem -starttls smtp
-showcerts -connect alt4.gmail-smtp-in.l.google.com:25":

Which clearly indicates that I got the public keys from the google's
smtp server. Is that not legitimate? If not, maybe you can say that
instead of ignoring me and then making snarky remarks when pressing for
an answer.




Reply | Threaded
Open this post in threaded view
|

Re: TLS Encryption and Verification issue

Mike Cardwell
* on the Mon, Nov 24, 2014 at 07:13:48AM -0500, Deeztek Support wrote:

>>> Any thoughts on this?
>>
>> I have no comment on the irrelevant info I did not ask for.  You
>> could start by answering the questions I asked in my previous
>> message.
>
> is there a requirement to be difficult when someone is asking a very
> relevant question just not the way you want the question to be asked.
> Did I stumble into Jeopardy and didn't say the magic words "what is?" or
> something?
You must be new here. Don't expect to be treated in a respectful manner
on this list, you will be disappointed.

--
Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4

signature.asc (611 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS Encryption and Verification issue

Wietse Venema
In reply to this post by Deeztek.com Support
Deeztek Support:

> On 11/23/2014 2:02 PM, Viktor Dukhovni wrote:
> > On Sun, Nov 23, 2014 at 07:23:55AM -0500, Deeztek Support wrote:
> >
> >> Any thoughts on this?
> >
> > I have no comment on the irrelevant info I did not ask for.  You
> > could start by answering the questions I asked in my previous
> > message.
> >
> is there a requirement to be difficult when someone is asking a very
> relevant question just not the way you want the question to be asked.

Your question was relevant, but you did not answer the questions.

> You said:
>
> cat > issuer.pem <<EOF
>
> I don't know what that means. It means absolutely nothing to me seeing
> that I have no clue what the "issuer.pem" is and where to get it.

This command CREATES the issuer.pem file. The rest of Viktor's email
walks you through some steps (see "man verify" for some description).
It would be worthwhile if you could report the results of those steps.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: TLS Encryption and Verification issue

Gerard E. Seibert
In reply to this post by Mike Cardwell
On Mon, 24 Nov 2014 13:40:40 +0000, Mike Cardwell stated:

> You must be new here. Don't expect to be treated in a respectful manner
> on this list, you will be disappointed.

I do not believe that to be a correct statement. I have always been treated
with respect, even when I ask a really stupid question. I will agree that on
rare occasions though I do believe that Mr. Wietse Venema does appear to have
waken up on the wrong side of the bed.

--
Jerry
Reply | Threaded
Open this post in threaded view
|

Re: TLS Encryption and Verification issue

Deeztek.com Support
In reply to this post by Mike Cardwell
On 11/24/2014 8:40 AM, Mike Cardwell wrote:

> You must be new here. Don't expect to be treated in a respectful manner
> on this list, you will be disappointed.
>

I'm glad I'm not the only one who feels that way. I'm not that new. I've
called him out on his rude remarks in the past.
Reply | Threaded
Open this post in threaded view
|

Re: TLS Encryption and Verification issue

Wietse Venema
Deeztek Support:
> On 11/24/2014 8:40 AM, Mike Cardwell wrote:
>
> > You must be new here. Don't expect to be treated in a respectful manner
> > on this list, you will be disappointed.
> >
>
> I'm glad I'm not the only one who feels that way. I'm not that new. I've
> called him out on his rude remarks in the past.

What prevents you from answering the question?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: TLS Encryption and Verification issue

Viktor Dukhovni
In reply to this post by Viktor Dukhovni
On Fri, Nov 21, 2014 at 07:20:29PM +0000, Viktor Dukhovni wrote:

> Yes the certificate for Equifax Secure Certificate authority is added in the
> /etc/ssl/certs/ca-certificates.crt file

Prove it.  Verify the attached issuer.pem file.

$ openssl verify -CAfile /etc/ssl/certs/ca-certificates \
        -purpose crlsign issuer.pem

The relevant "Authority Key Identifier" is:

    48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

> >Did you tell Postfix what name to expect in the server certificate?
> >It does not contain the name alt4.gmail-smtp-in.l.google.com.
>
> what do you mean by that? Are you referring to the alternate names on the
> cert?

The full chain is below my signature.  None of the names in that
certificate match "gmail.com", they're all "google.com" names, with
"mx.google.com" as the most appropriate name for this service.

However, before name checks come in play, you need to configure a
working trust anchor (root CA), in your CA file or hashed CA path.

Therefore, once you've configured the correct trust anchor (and
postfix logs with "smtp_tls_loglevel=1" show "Trusted", rather than
"Untrusted"), you'll also need to set the "match" attribute in the
policy entry for gmail:

    main.cf:
        indexed = ${default_database_type}:${config_directory}/
        smtp_tls_policy_maps = ${indexed}tls-policy
       
    tls-policy:
        gmail.com secure match=mx.google.com

Do post the logging for the transaction in question, using the
previously attached "collate script".

--
        Viktor.

posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: aspmx.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt1.aspmx.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt2.aspmx.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt3.aspmx.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt4.aspmx.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: Matched subjectAltName: gmail-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt1.gmail-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt2.gmail-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt3.gmail-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt4.gmail-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: gmr-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt1.gmr-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt2.gmr-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt3.gmr-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: alt4.gmr-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: mx.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: aspmx2.googlemail.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: aspmx3.googlemail.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: aspmx4.googlemail.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName: aspmx5.googlemail.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25 CommonName mx.google.com
posttls-finger: certificate verification failed for gmail-smtp-in.l.google.com[74.125.29.27]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subject_CN=gmail-smtp-in.l.google.com, issuer_CN=Google Internet Authority G2, fingerprint=22:82:B3:79:69:6A:72:15:05:F2:73:FA:1E:6B:BE:36:F0:BA:01:E2, pkey_fingerprint=86:BB:05:08:F2:AF:5F:23:84:9F:BB:78:75:19:28:BF:B4:50:4F:92
posttls-finger: Untrusted TLS connection established to gmail-smtp-in.l.google.com[74.125.29.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

---
Certificate chain
 0 subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
    issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
   cert digest=22:82:B3:79:69:6A:72:15:05:F2:73:FA:1E:6B:BE:36:F0:BA:01:E2
   pkey digest=86:BB:05:08:F2:AF:5F:23:84:9F:BB:78:75:19:28:BF:B4:50:4F:92
-----BEGIN CERTIFICATE-----
MIIGhDCCBWygAwIBAgIIa7+rjwrecGgwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNzE1MDg1NjE2WhcNMTUwNDA0MTUxNTU1
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu
Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXdZYGb
7GeyejZTesdEdsOt++RnNBWbXrpJR4pXU6F0iHzSBoP6FJLx755vKFlc7H/LicAL
dATo8MT6mPlJLUByivEQBzt+ueZOX1iNcYw3NEZXRjtEllxyYmQfHNFatjNAhCwV
o9euyYkut8CVwS/QJccCHs6fNoD7FcXJu8XfiRS2asKwFtxosXxH54VaOwNaeGbC
UOcT8jxYD5Nnp2luQZofVCIeeHOG9kRP7sUDdBvX7uTneetZLkn2CQQoisd9I4QE
6Gq3GRPeE9MkcY7e71+CYkTdUVLfzIYmkmg/MaN7rce4gTCzvQJ8D7ZF14GKk3Ih
YHSTda5NRUARp/0CAwEAAaOCA1AwggNMMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjCCAiYGA1UdEQSCAh0wggIZghJhc3BteC5sLmdvb2dsZS5jb22CF2Fs
dDEuYXNwbXgubC5nb29nbGUuY29tghdhbHQyLmFzcG14LmwuZ29vZ2xlLmNvbYIX
YWx0My5hc3BteC5sLmdvb2dsZS5jb22CF2FsdDQuYXNwbXgubC5nb29nbGUuY29t
ghpnbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0MS5nbWFpbC1zbXRwLWlu
LmwuZ29vZ2xlLmNvbYIfYWx0Mi5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIf
YWx0My5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0NC5nbWFpbC1zbXRw
LWluLmwuZ29vZ2xlLmNvbYIYZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQx
Lmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYIdYWx0Mi5nbXItc210cC1pbi5sLmdv
b2dsZS5jb22CHWFsdDMuZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQ0Lmdt
ci1zbXRwLWluLmwuZ29vZ2xlLmNvbYINbXguZ29vZ2xlLmNvbYIVYXNwbXgyLmdv
b2dsZW1haWwuY29tghVhc3BteDMuZ29vZ2xlbWFpbC5jb22CFWFzcG14NC5nb29n
bGVtYWlsLmNvbYIVYXNwbXg1Lmdvb2dsZW1haWwuY29tMGgGCCsGAQUFBwEBBFww
WjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDAr
BggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNV
HQ4EFgQUBZHrxONQ35UlBbfg/kH906dTK4YwDAYDVR0TAQH/BAIwADAfBgNVHSME
GDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisGAQQB1nkC
BQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAcdpfy9yMh4NR4jtm7MPkk11iL81mDbTy
3L/sO2p1NrEUTiUtVKhV0hwOO7+tsOTfd1iR07QUFCiRW2GTlGpy4gvgXdAleT7e
1kKRIrD4p7O99xhmoKbaNVIGHMHoP393dmoFOV+OzdMjN4NTZwyvKieo5RuE/zOW
yjFt89bvnApJcpnY6sHoWeKvioBA4YiCU/U1Cb/8DMZ9yX9RkSqUJ0gosInMkTKg
H0wvLQNhSkbUYaRPme9FjFrvgDx/IFmzS1Fx2qSwRJUuAwbPd9cOefi+eXAfg9Mx
3aZYDlObs8lWrwjARkl9HpGdI4WUTRMwSCSuf51npgwVaa+PIiX9fg==
-----END CERTIFICATE-----
 1 subject: /C=US/O=Google Inc/CN=Google Internet Authority G2
    issuer: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   cert digest=D8:3C:1A:7F:4D:04:46:BB:20:81:B8:1A:16:70:F8:18:34:51:CA:24
   pkey digest=43:DA:D6:30:EE:53:F8:A9:80:CA:6E:FD:85:F4:6A:A3:79:90:E0:EA
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
-----END CERTIFICATE-----
 2 subject: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    issuer: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   cert digest=73:59:75:5C:6D:F9:A0:AB:C3:06:0B:CE:36:95:64:C8:EC:45:42:A3
   pkey digest=C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----

issuer.pem (1K) Download Attachment