[Pkg-openssl-devel] Bug#648285: fails to verify client certificates
Raphael Geissert
geissert at debian.org
Fri Nov 11 03:16:14 UTC 2011
Hi Martin,
On Thursday 10 November 2011 03:47:35 martin f krafft wrote:
> I am a bit unsure, where the source of the problem lies. Okay,
> that's wrong — I have no idea and this baffles me. Since it /feels/
> to me like this started right after the SSL upgrade on the Postfix
> server, I am reporting it here.
Thanks for the report. I very much doubt the patch in lenny14 has anything to
do with it, it is very well restricted to x509's verify_cert routine and
should simply make it return a CERT_REVOKED error.
The easiest way to rule out that the issue comes from the upgrade, could you
please downgrade libssl0.9.8 to lenny13? (only in squeeze, not in squeeze-
sec.)
Additionally, and this bit is what might be the most relevant, had you already
upgraded to lenny13 and restarted postfix before upgrading to lenny14?
CVE-2011-3210, related to DH and ECDH, was fixed in lenny13. Since you are
using EDH-RSA I think that could be the origin of the problem. Just to make
sure, you could downgrade to lenny12, test, upgrade to lenny13, test, and then
upgrade to lenny14.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
More information about the Pkg-openssl-devel
mailing list