Bug#737921: breaks debian.org SMTP TLS
Kees Cook
kees at master.debian.org
Fri May 23 20:33:53 UTC 2014
Severity: serious
This breaks SMTP TLS connections to debian.org when the client presents
a sha512 cert:
^ grep confSERVER_CERT /etc/mail/sendmail.mc
define(`confSERVER_CERT',`/etc/ssl/certs/smtp-cert.pem')dnl
$ openssl x509 -text -noout -in /etc/ssl/certs/smtp-cert.pem | grep 'Signature Algorithm'
Signature Algorithm: sha512WithRSAEncryption
client logs:
May 23 06:52:09 vinyl sm-mta[6695]: STARTTLS=client, error: connect failed=-1, SSL_error=5, errno=104, retry=-1
May 23 06:52:09 vinyl sm-mta[6695]: ruleset=tls_server, arg1=SOFTWARE, relay=mailly.debian.org, reject=403 4.7.0 TLS handshake failed.
server logs:
2014-05-23 19:21:58 TLS error on connection from smtp.outflux.net [2001:19d0:2:6:c0de:0:736d:7470] (gnutls_handshake): The signature algorithm is not supported.
-Kees
More information about the Pkg-gnutls-maint
mailing list