'openssl s_client vs smtpd_tls_CApath = /etc/ssl/certs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    openssl s_client vs smtpd_tls_CApath = /etc/ssl/certs
From:       Bob Tanner <tanner () real-time ! com>
Date:       2005-10-05 4:51:48
Message-ID: dhvm55$god$1 () sea ! gmane ! org
[Download RAW message or body]

Having problems getting postfix working with a self-signed cert, I searched
the mailing list and none of the other posts seem to answer my question.

I'll start by asking why I get different results between openssl s_client
connect and postfix when I have smtpd_tls_CApath = /etc/ssl/certs setup?

$ openssl s_client -connect mailhandler.az.fh.org:25 -starttls smtp
-CApath /etc/ssl/certs/
CONNECTED(00000003)
<snip>
verify return:1
<snip>
     Verify return code: 0 (ok) <-- We are ok!
---
220 mailhandler.az.fh.org ESMTP server ready at

Logs from postfix show a problem with the self-signed cert

postfix/smtp[26070]: setting up TLS connection to mailhandler.az.fh.org
postfix/smtp[26070]: verify error:num=18:self signed certificate
postfix/smtp[26070]: SSL_connect error to mailhandler.az.fh.org: -1
postfix/smtp[26070]: 26070:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:844:
postfix/smtp[26070]: 1B130EBA26: Could not start TLS: client failure

The relevant main.cf

smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/certs/server.key
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_CAfile =  /etc/ssl/certs/server.ca
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_ask_ccert = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_tls_note_starttls_offer = yes
smtp_tls_per_site = hash:/etc/postfix/tls_per_site

Now, if I remove the -CAPath from the openssl s_client, I get the same
issue/error

$ openssl s_client -connect mailhandler.az.fh.org:25 -starttls smtp
CONNECTED(00000003)
<snip>
verify error:num=18:self signed certificate
verify return:1
<snip>
    Verify return code: 18 (self signed certificate)

Reading the documentation, I understand that smtpd_tls_CApath "Directory
with PEM format certificate authority certificates that the Postfix SMTP
server offers to remote SMTP clients for the purpose of client certificate
verification." and using debian's update-ca-certificate it does to the hash
of the certs.

Any help on where to look to next?

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic