Bug#514578: libgnutls26: similar gnutls26 problem with mutt+msmtp after recent update

Chess Griffin chess at chessgriffin.com
Tue Feb 10 22:25:06 UTC 2009 

* Simon Josefsson <simon at josefsson.org> [2009-02-10 22:09:18]:

> Can you reproduce the problem using gnutls-cli?  It sounds as if you
> have a RSA-MD5 signature somewhere in your chain, and the chain is
> rejected.  Please post output of running gnutls-cli against your server
> as suggested earlier in this bug.

Here is the output of gnutls-cli to mail.mxes.net on port 993, which is
Tuffmail's SSL/TLS IMAP server:


Resolving 'mail.mxes.net'...
Connecting to '216.86.168.198:993'...
- Certificate type: X.509
 - Got a certificate list of 1 certificates.

 - Certificate[0] info:

-----BEGIN CERTIFICATE-----
MIIDQTCCAqqgAwIBAgIDCd7SMA0GCSqGSIb3DQEBBAUAMFoxCzAJBgNVBAYTAlVT
MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4
IFNlY3VyZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwHhcNMDgxMTA5MTYwMTMyWhcN
MTEwMTA5MTYwMTMyWjCBsDELMAkGA1UEBhMCVVMxEzARBgNVBAoUCioubXhlcy5u
ZXQxEzARBgNVBAsTCkdUNDAzMDI0NjAxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRz
c2wuY29tL3Jlc291cmNlcy9jcHMgKGMpMDgxLzAtBgNVBAsTJkRvbWFpbiBDb250
cm9sIFZhbGlkYXRlZCAtIFJhcGlkU1NMKFIpMRMwEQYDVQQDFAoqLm14ZXMubmV0
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzILFjzVEfEenDMZZXOVenNW2w
O+qlm4pcbQu8C7IH8utDZ+aSlYqaJjEbxN3AwIZKAXFtIj5FUESzHn5K2n9zCINY
i25KgEeNGKUoFzHxids3O78PwPXZ2V34V3Udc9I3q+E+QYCigKG3WZeV3hEjUSLp
v8dk1EJFm8o6l5hVgwIDAQABo4G9MIG6MA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4E
FgQUxBtqZwl6d9S8rKGd57NxDnzF+1EwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDov
L2NybC5nZW90cnVzdC5jb20vY3Jscy9nbG9iYWxjYTEuY3JsMB8GA1UdIwQYMBaA
FL6ooHRyUGtEt8kj2Puo/7NXa2hsMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAE8nFam1vZCKShd8
anxIySpfAUMdJBALiCI2aAjSvOnnwxthRbyqMudBdyhO8QrKh6PTfv5k1rW97/IM
+Dyf8DjkLQtfYMz7Ax6dBFLPOdsE1JZ86p4/beLhHUoJN7y+g1Ms8PsNS9c4RJDz
xSu4vmEpEZ7WlI/afsa1cz+PqaEj
-----END CERTIFICATE-----

 # The hostname in the certificate matches 'mail.mxes.net'.
 # valid since: Sun Nov  9 11:01:32 EST 2008
 # expires at: Sun Jan  9 11:01:32 EST 2011
 # fingerprint: F0:F0:94:FD:2C:04:86:BF:BF:49:D1:5E:B9:B3:B0:01
 # Subject's DN: C=US,O=*.mxes.net,OU=GT40302460,OU=See www.rapidssl.com/resources/cps (c)08,OU=Domain Control Validated - RapidSSL(R),CN=*.mxes.net
 # Issuer's DN: C=US,O=Equifax Secure Inc.,CN=Equifax Secure Global eBusiness CA-1


- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

I am no certificate guru, but isn't Tuffmail's cert signed by a top
level CA directly, much like Gabor's situation above?

> 
> If you could quote some error messages from mutt and msmtp, that will
> also help -- however, to debug it is best to first try to isolate the
> problem using gnutls-cli.  If it's not possible to reproduce using
> gnutls-cli, I would suggest a mutt/msmtp problem.
> 

The mutt issue is strange -- after libgnutls was updated, when I first
ran mutt, it acted like the Tuffmail cert was new (even though it is
saved in my ~/.mutt/mutt_certs file).  I pressed 'a' to 'accept always'
and it said 'Could not save certificate.'  So, I moved my mutt_certs and
'touched' an empty mutt_certs file and reran mutt.  This time it saved
the cert -- once.  When I ran mutt a third time, I got the message about
not being able to save the cert again!  So it works once and then won't
work again.  It is exactly the same problem mentioned here:

http://does-not-exist.org/mail-archives/mutt-users/msg04515.html

As to msmtp, when I try to send with the updated libgnutls26, it says
'TLS certificate verification failed: the certificate is not trusted'.
Similar to this report (which links to another Debian bug report) about
msmtp suddenly not working after a libgnutls update:

http://ubuntuforums.org/showthread.php?t=996779

I hate to belabor this point, but my mutt and msmtp setup with Tuffmail
has worked for many years on Debian, Slackware, FreeBSD, and OpenBSD.  I
use the same configs on all.  I only experienced problems when
libgnutls26 was recently updated in Lenny.  I have downgraded to 2.4.2-4
and now everything is OK again.  In fact, that's how I can send you this
email using mutt, msmtp, through my account at Tuffmail.  :-)

If there is anything else I can provide to help debug, please do not
hesitate to ask.

-- 
Chess Griffin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20090210/4a3097a0/attachment.pgp

More information about the Pkg-gnutls-maint mailing list