[Pkg-openssl-devel] Bug#648285: fails to verify client certificates

martin f krafft madduck at debian.org
Thu Nov 10 09:47:35 UTC 2011 

Package: openssl
Version: 0.9.8g-15+lenny14
Severity: important
Tags: lenny

Following yesterday's OpenSSL upgrade to …+lenny14, my TLS SMTP
clients running Sid can no longer submit e-mail to a Postfix
instance running on lenny, while being authenticated with their
client certificate.

For instance, with gnutls-cli, I get:

  % sudo gnutls-cli -s --x509cafile /etc/ssl/certs/cacert.org.pem
    --x509keyfile /etc/ssl/private/albatross.gern.madduck.net.pem
    --x509certfile /etc/ssl/certs/albatross.gern.madduck.net.pem
    -p 587 a.mx.madduck.net

  Processed 2 CA certificate(s).
  Processed 1 client certificates...
  Processed 1 client X.509 certificates...
  Resolving 'a.mx.madduck.net'...
  Connecting to '2001:470:9aad::1:587'...

  - Simple Client Mode:

  220 seamus.madduck.net ESMTP "welcome to the machine..."
  ehlo myhost
  250-seamus.madduck.net
  250-PIPELINING
  250-SIZE 26214400
  250-ETRN
  250-STARTTLS
  250-ENHANCEDSTATUSCODES
  250-8BITMIME
  250 DSN
  starttls
  220 2.0.0 Ready to start TLS
  *** Starting TLS handshake
  *** Verifying server certificate failed...
  *** Fatal error: Error in the certificate.
  *** Handshake has failed

A debug run with OpenSSL s_client is also attached.

On the server side, I see this (full debug with loglevel 5 attached):

  postfix/smtpd[14130]: setting up TLS connection from albatross.gern.madduck.net[2001:a60:f0fb:0:22cf:30ff:fe2a:7c07]
  postfix/smtpd[14130]: albatross.gern.madduck.net[2001:a60:f0fb:0:22cf:30ff:fe2a:7c07]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL"
  postfix/smtpd[14130]: SSL_accept:before/accept initialization
  postfix/smtpd[14130]: SSL_accept:SSLv3 read client hello B
  postfix/smtpd[14130]: SSL_accept:SSLv3 write server hello A
  postfix/smtpd[14130]: SSL_accept:SSLv3 write certificate A
  postfix/smtpd[14130]: SSL_accept:SSLv3 write key exchange A
  postfix/smtpd[14130]: SSL_accept:SSLv3 write certificate request A
  postfix/smtpd[14130]: SSL_accept:SSLv3 flush data
  postfix/smtpd[14130]: SSL3 alert read:fatal:bad certificate
  postfix/smtpd[14130]: SSL_accept:failed in SSLv3 read client certificate A
  postfix/smtpd[14130]: SSL_accept error from albatross.gern.madduck.net[2001:a60:f0fb:0:22cf:30ff:fe2a:7c07]: 0
  postfix/smtpd[14130]: warning: TLS library problem: 14130:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1086:SSL alert number 42:
  postfix/smtpd[14130]: lost connection after STARTTLS from albatross.gern.madduck.net[2001:a60:f0fb:0:22cf:30ff:fe2a:7c07]

SASL submission, anonymous STARTTLS, and cert-auth from Squeeze
clients continue to work.

I am a bit unsure, where the source of the problem lies. Okay,
that's wrong — I have no idea and this baffles me. Since it /feels/
to me like this started right after the SSL upgrade on the Postfix
server, I am reporting it here.

Thanks,

-- 
 .''`.   martin f. krafft <madduck at d.o>      Related projects:
: :'  :  proud Debian developer               http://debiansystem.info
`. `'`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems
-------------- next part --------------
A non-text attachment was scrubbed...
Name: postfix-smtpd-debug-log.gz
Type: application/octet-stream
Size: 14478 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20111110/babbd074/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssl-s_client-debug-log.gz
Type: application/octet-stream
Size: 26852 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20111110/babbd074/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: digital_signature_gpg.asc
Type: application/pgp-signature
Size: 1124 bytes
Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20111110/babbd074/attachment-0001.pgp>

More information about the Pkg-openssl-devel mailing list