Bug#514578: libgnutls26: similar gnutls26 problem with mutt+msmtp after recent update
chess at chessgriffin.com
Tue Feb 10 22:25:06 UTC 2009
* Simon Josefsson <simon at josefsson.org> [2009-02-10 22:09:18]:
> Can you reproduce the problem using gnutls-cli? It sounds as if you
> have a RSA-MD5 signature somewhere in your chain, and the chain is
> rejected. Please post output of running gnutls-cli against your server
> as suggested earlier in this bug.
Here is the output of gnutls-cli to mail.mxes.net on port 993, which is
Tuffmail's SSL/TLS IMAP server:
Connecting to '188.8.131.52:993'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate info:
# The hostname in the certificate matches 'mail.mxes.net'.
# valid since: Sun Nov 9 11:01:32 EST 2008
# expires at: Sun Jan 9 11:01:32 EST 2011
# fingerprint: F0:F0:94:FD:2C:04:86:BF:BF:49:D1:5E:B9:B3:B0:01
# Subject's DN: C=US,O=*.mxes.net,OU=GT40302460,OU=See www.rapidssl.com/resources/cps (c)08,OU=Domain Control Validated - RapidSSL(R),CN=*.mxes.net
# Issuer's DN: C=US,O=Equifax Secure Inc.,CN=Equifax Secure Global eBusiness CA-1
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
I am no certificate guru, but isn't Tuffmail's cert signed by a top
level CA directly, much like Gabor's situation above?
> If you could quote some error messages from mutt and msmtp, that will
> also help -- however, to debug it is best to first try to isolate the
> problem using gnutls-cli. If it's not possible to reproduce using
> gnutls-cli, I would suggest a mutt/msmtp problem.
The mutt issue is strange -- after libgnutls was updated, when I first
ran mutt, it acted like the Tuffmail cert was new (even though it is
saved in my ~/.mutt/mutt_certs file). I pressed 'a' to 'accept always'
and it said 'Could not save certificate.' So, I moved my mutt_certs and
'touched' an empty mutt_certs file and reran mutt. This time it saved
the cert -- once. When I ran mutt a third time, I got the message about
not being able to save the cert again! So it works once and then won't
work again. It is exactly the same problem mentioned here:
As to msmtp, when I try to send with the updated libgnutls26, it says
'TLS certificate verification failed: the certificate is not trusted'.
Similar to this report (which links to another Debian bug report) about
msmtp suddenly not working after a libgnutls update:
I hate to belabor this point, but my mutt and msmtp setup with Tuffmail
has worked for many years on Debian, Slackware, FreeBSD, and OpenBSD. I
use the same configs on all. I only experienced problems when
libgnutls26 was recently updated in Lenny. I have downgraded to 2.4.2-4
and now everything is OK again. In fact, that's how I can send you this
email using mutt, msmtp, through my account at Tuffmail. :-)
If there is anything else I can provide to help debug, please do not
hesitate to ask.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20090210/4a3097a0/attachment.pgp
More information about the Pkg-gnutls-maint