[Pkg-openssl-devel] Bug#573748: Bug#573748: libssl0.9.8: unknown message digest algorithm error in postfix

Kurt Roeckx kurt at roeckx.be
Sun Mar 14 11:31:33 UTC 2010


On Sun, Mar 14, 2010 at 09:23:48AM +0100, Richard van den Berg wrote:
> On 13-3-10 20:19 , Kurt Roeckx wrote:
> >This works for me:
> >openssl s_client -CAfile ./vdberg.org.ca.pem -connect vdberg.org:26 -starttls smtp
> 
> Interesting. Does this mean the issue is with postfix only? I
> checked the postfix code and there is no use of
> X509_V_FLAG_CHECK_SS_SIGNATURE that grep can find. I am running
> 2.6.5-3 (2.5.5-1.1 had the same issue). Setting smtpd_tls_loglevel =
> 3 gives:
> 
> Mar 14 08:47:04 majoron postfix/smtpd[31776]: SSL_accept:error in
> SSLv3 read client certificate A
> Mar 14 08:47:04 majoron postfix/smtpd[31776]: SSL_accept error from
> 82-171-xxx-yyy.ip.telfort.nl[82.171.xxx.yyy]: -1
> Mar 14 08:47:04 majoron postfix/smtpd[31776]: warning: TLS library
> problem: 31776:error:0D0C50A1:asn1 encoding
> routines:ASN1_item_verify:unknown message digest
> algorithm:a_verify.c:146:
> 
> Does this mean the issue is with the client certificate instead of
> the server certificate? I am testing with Thunderbird 3.0.3 without
> any client certificates, and s_client. Even without the -CAfile the
> issue is triggered server side:
> 
> openssl s_client -connect vdberg.org:25 -starttls smtp

Since your testing without client certificate, it shouldn't
be a client certificate issue, so I'm not getting it.  The
seems to be about client certificates.

> I'm attaching postfix.pem in case it helps. I can also sign a test
> certificate with my CA if needed.

I thin postfix sends me the postfix.pem anyway.

> PS: my server is back to libssl0.9.8_0.9.8k-8 now, so the s_client
> test will succeed now

I guess that's why it works for me.

Can you reproduce it using an s_server and s_client?


Kurt






More information about the Pkg-openssl-devel mailing list