Bug#514578: libgnutls26: similar gnutls26 problem with mutt+msmtp after recent update

Chess Griffin chess at chessgriffin.com
Tue Feb 10 22:25:06 UTC 2009

* Simon Josefsson <simon at josefsson.org> [2009-02-10 22:09:18]:

> Can you reproduce the problem using gnutls-cli?  It sounds as if you
> have a RSA-MD5 signature somewhere in your chain, and the chain is
> rejected.  Please post output of running gnutls-cli against your server
> as suggested earlier in this bug.

Here is the output of gnutls-cli to mail.mxes.net on port 993, which is
Tuffmail's SSL/TLS IMAP server:

Resolving 'mail.mxes.net'...
Connecting to ''...
- Certificate type: X.509
 - Got a certificate list of 1 certificates.

 - Certificate[0] info:


 # The hostname in the certificate matches 'mail.mxes.net'.
 # valid since: Sun Nov  9 11:01:32 EST 2008
 # expires at: Sun Jan  9 11:01:32 EST 2011
 # fingerprint: F0:F0:94:FD:2C:04:86:BF:BF:49:D1:5E:B9:B3:B0:01
 # Subject's DN: C=US,O=*.mxes.net,OU=GT40302460,OU=See www.rapidssl.com/resources/cps (c)08,OU=Domain Control Validated - RapidSSL(R),CN=*.mxes.net
 # Issuer's DN: C=US,O=Equifax Secure Inc.,CN=Equifax Secure Global eBusiness CA-1

- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

I am no certificate guru, but isn't Tuffmail's cert signed by a top
level CA directly, much like Gabor's situation above?

> If you could quote some error messages from mutt and msmtp, that will
> also help -- however, to debug it is best to first try to isolate the
> problem using gnutls-cli.  If it's not possible to reproduce using
> gnutls-cli, I would suggest a mutt/msmtp problem.

The mutt issue is strange -- after libgnutls was updated, when I first
ran mutt, it acted like the Tuffmail cert was new (even though it is
saved in my ~/.mutt/mutt_certs file).  I pressed 'a' to 'accept always'
and it said 'Could not save certificate.'  So, I moved my mutt_certs and
'touched' an empty mutt_certs file and reran mutt.  This time it saved
the cert -- once.  When I ran mutt a third time, I got the message about
not being able to save the cert again!  So it works once and then won't
work again.  It is exactly the same problem mentioned here:


As to msmtp, when I try to send with the updated libgnutls26, it says
'TLS certificate verification failed: the certificate is not trusted'.
Similar to this report (which links to another Debian bug report) about
msmtp suddenly not working after a libgnutls update:


I hate to belabor this point, but my mutt and msmtp setup with Tuffmail
has worked for many years on Debian, Slackware, FreeBSD, and OpenBSD.  I
use the same configs on all.  I only experienced problems when
libgnutls26 was recently updated in Lenny.  I have downgraded to 2.4.2-4
and now everything is OK again.  In fact, that's how I can send you this
email using mutt, msmtp, through my account at Tuffmail.  :-)

If there is anything else I can provide to help debug, please do not
hesitate to ask.

Chess Griffin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20090210/4a3097a0/attachment.pgp 

More information about the Pkg-gnutls-maint mailing list