Sorry I forgot the log files, ;(

Ernesto Silva

Subject: Re: TLS problem
Date: Mon, 2 Dec 2002 13:48:43 -0300
From: Ernesto Silva <silvaathenea.ort.edu.uy>
To: postfix-userspostfix.org

Thanks to Nils for ponting the syntax error, you have a good eye. (I hate
making that kind of stupid mistakes ;(

Hi Lutz,
        Well...., I had already done what you said, but I also found another
 problem, the "relay_clientcerts=ldap:......" directive, so I added in
 "correo" (the destination server) the following:

        relay_clientcerts=hash:/etc/postfix/fingerprints

and I found the fingerprint with:

        openssl x509 -fingerprint -in test-certificate-file.pem

and put the result "XX.XX......XX test.ort.edu.uy" in the fingerprints file
an I also did a "postmap fingerprints". I'm really not sure what fingerprints
are (perhaps something like a crc of each certificate), but now "correo"
seems to accept the "test" (relay server) certificate.

        On the other way, now "test" doesn't verificate "correo's" certificate. I
have put "correo's" ca certificate in "test" directories, and I also
configured
        smtp_tls_CApath=/etc/postfix/certs
and did a "c_rehash /etc/postfix/certs". Links were created.

I'm sending both log files again, I think we're getting closer, but there's
still something missing. Remember, each server has a different CA, and both
are generated locally.

Best regards,
Ernesto Silva

On Saturday 30 November 2002 19:20, Lutz Jaenicke wrote:
> On Fri, Nov 29, 2002 at 07:08:40PM -0300, Ernesto Silva wrote:
> > I'm having some trouble triyng to set up tls authentication between 2
> > postfix servers. One of them, "test" is the relay server for the other,
> > "correo". "correo" is running a SuSE eMail Server 3.1(ldap,cyrus,etc)
> > with certificates for all the clients (both way authentication), it uses
> > self signed certificates.
> > "correo" only attends clients (netscape 4.8) and sends/receives email
> > to/from the world via "test".
> >
> > As "correo" always requieres client authentication I must set up "test"
> > so it can connect to "correo" via tls. I followed the instructions on
> > howto.state-of-mind.de and the TLS negotiation begins correctly
> > (transport and tls_per_site seems to work fine) but ends with errors.
> > Aparently "test" detects a difference between "correo's" CommonName and
> > it's connection name.
> >
> > Peer verification: CommonName in certificate does not match:
> > correo.ort.edu.uy != 192.168.20.3 (<-- this is the "correo's" ip)
>
> You connect to the IP but the certificate contains the FQDN. Make sure to
> use the same value for the CommonName and the expected server name.
> However: unless you use "enforce_tls" this is only a "warning".
>
> > Here is the cofiguration for "test":
> >
> > tls_random_exchange_name = /etc/postfix/prng_exch
> > tls_random_source = def:/dev/urandom
> > tls_random_seed_period = 3600s
> > tls_random_upd_period = 60s
> > tls_daemon_random_source = dev:/dev/urandom
> > smtp_use_tls = yes
> > smtp_enforce_tls = no
> > smtp_starttls_timeout = 20s
> > smtp_tls_CAfile = /etc/postfix/certs/cacert.pem
> > smtp_tls_cert_file = /etc/postfix/certs/cert.pem
> > smtp_tls_key_file = /etc/postfix/certs/skey.pem
> > smtp_tls_enforce_peername = no
> > smtp_tls_loglevel = 2
> > smtp_tls_per_site = hash:/etc/postfix/tls_per_site
> > smtp_tls_session_cache_timeout = 360s
> >
> > I also include 2 attached files with level 3 debugging, sorry if they
> > seems too big (about 14 kb in total), but I think they may help.
> >
> > I've tried to add CA's cert from one to each other, but nothing happens,
> > I always get the same error.
>
> You are already on the correct way. The log from correo says:
> Nov 29 18:35:02 correo postfix/smtpd[17777]: Peer cert verify depth=0
> /C=UY/ST=M ontevideo/L=Montevideo/O=Universidad ORT
> Uruguay/OU=Mailserver/CN=test.ort.edu.u y/Email=postmastertest.ort.edu.uy
> Nov 29 18:35:02 correo postfix/smtpd[17777]: verify error:num=20:unable to
> get l ocal issuer certificate
> Nov 29 18:35:02 correo postfix/smtpd[17777]: verify return:0
> Nov 29 18:35:02 correo postfix/smtpd[17777]: SSL3 alert write:fatal:unknown
> Nov 29 18:35:02 correo postfix/smtpd[17777]: SSL_accept:error in SSLv3 read
> clie nt certificate B
> Nov 29 18:35:02 correo postfix/smtpd[17777]: SSL_accept error from
> test.ort.edu. uy[164.73.96.26]: -1
>
> The verification of the client certificate fails, because the server does
> not have a local copy of the client's issuer (CA) certificate.
> As you instructed the server to _require_ (not just ask for) a client
> certificate, the failure is considered fatal and the connection is
> closed.
> Due to a bug in earlier OpenSSL implementations, the alert is not specified
> in the logfile: "fatal:uknown" (the text's for the TLSv1 alerts were simply
> forgotten).
> Solution: add the root CA issuing the client certificate to the list of
> trusted CAs of the server. If your certificate chain is longer than just
> "cert + rootCA" make sure to add the intermediate CA certificates at the
> client side.
>
> Best regards,
> Lutz

--
Sr. Ernesto Silva.
Webmaster.
Universidad ORT Uruguay.
Cuareim 1451.
Montevideo.
Montevideo - 11100.
Uruguay.
silvaort.ort.edu.uy (text only)
silvaathenea.ort.edu.uy
-------------------------------------------------------
-- 
Sr. Ernesto Silva.
Webmaster.
Universidad ORT Uruguay.
Cuareim 1451.
Montevideo.
Montevideo - 11100.
Uruguay.
silvaort.ort.edu.uy (text only)
silvaathenea.ort.edu.uy

• application/x-zip attachment: test.zip

• application/x-zip attachment: correo.zip

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]