Re: [exim] PWCHK

Page principale
Supprimer ce message
Répondre à ce message
Auteur: W B Hacker
Date:  
À: exim users
Sujet: Re: [exim] PWCHK
Randy Bush wrote:

*snip* (moving to 587)

> same error, no surprise there. now that i can hope that we have
> finished the religious part of the discussion, i could use a bit of help
> debugging this sucker.
>


Just last night did an R&D install of Exim 4.71p0 from pkgsrc to OpenBSD 4.7 -
which should have the latest OpenSSL if anyone does. But I haven't started
testing t.

As the OpenBSD Exim maintainer has already gotten Exim 4.72 into pkgsrc, I'll
bump OpenBSD to snapshot and try that one tonight - WITH my 4.53-vintage
configure file and my not-quite-as-old self-signed certs.

Based on the debug below, my suspicion - and it is only that - is that OpenSSL
*has* changed - at least w/r default configuration if not functionality.

CAVEAT: I don't use sasl or pwcheck or spf but wonder if any of htose players
has supplied changes to OpenSSL default configuration.

Any chance you can diff the openSSl dirtree area on old/working and new/broken
boxen?

===

> phil noticed RENEGOTIATING
>
>     rmac.psg.com:/Users/randy> openssl s_client -connect psg.com:587
>     CONNECTED(00000004)
>     depth=1 /C=US/ST=Washingron/L=Bainbridge Island/O=RGnet/PSGnet/OU=Engineering/CN=RGnet Root CA/emailAddress=randy@???
>     verify error:num=19:self signed certificate in certificate chain
>     verify return:0
>     ---
>     Certificate chain
>      0 s:/C=US/ST=WA/L=Seattle/O=RGnet, LLC/OU=PSGnet Engineering/CN=psg.com/emailAddress=randy@???
>        i:/C=US/ST=Washingron/L=Bainbridge Island/O=RGnet/PSGnet/OU=Engineering/CN=RGnet Root CA/emailAddress=randy@???
>      1 s:/C=US/ST=Washingron/L=Bainbridge Island/O=RGnet/PSGnet/OU=Engineering/CN=RGnet Root CA/emailAddress=randy@???
>        i:/C=US/ST=Washingron/L=Bainbridge Island/O=RGnet/PSGnet/OU=Engineering/CN=RGnet Root CA/emailAddress=randy@???
>     ---
>     Server certificate
>     -----BEGIN CERTIFICATE-----
>     MIIEpzCCBBCgAwIBAgICAKQwDQYJKoZIhvcNAQEFBQAwgaExCzAJBgNVBAYTAlVT
>     MRMwEQYDVQQIEwpXYXNoaW5ncm9uMRowGAYDVQQHExFCYWluYnJpZGdlIElzbGFu
>     ZDEVMBMGA1UEChMMUkduZXQvUFNHbmV0MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEW
>     MBQGA1UEAxMNUkduZXQgUm9vdCBDQTEcMBoGCSqGSIb3DQEJARYNcmFuZHlAcHNn
>     LmNvbTAeFw0xMDA2MTkxNzExNTRaFw0xMTA2MTkxNzExNTRaMIGOMQswCQYDVQQG
>     EwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAoTClJH
>     bmV0LCBMTEMxGzAZBgNVBAsTElBTR25ldCBFbmdpbmVlcmluZzEQMA4GA1UEAxMH
>     cHNnLmNvbTEcMBoGCSqGSIb3DQEJARYNcmFuZHlAcHNnLmNvbTCCASIwDQYJKoZI
>     hvcNAQEBBQADggEPADCCAQoCggEBAMIJuJR410eubOy2CQ+tvIukjXZq/jJxMsGi
>     tB5o1Kt2WXeSEeIYd3p8Ybm58SoWtSt6B5PSx9zDgj4gO6sfleVwNKLB0CeKKtQ3
>     OVhXDlD/T6oj7xiWy4t5bRwgI9O47NcPt4hpNqJeOw6bBAuOJrFFUAYgxSsbWHMv
>     8zUXBIBC8k5Tk8c312QwQ5ePSfbACcdVid9HLXp64uWeJ+DtSu9XfA5fG7Bxvx/i
>     M/EpBdIuSpMpgrZY4oyJ9RgR3+QLgJoj0TNk797Rr61vlzCv308FPayJd159Xn/A
>     +2xP9VbfmE4oay5Vov5t4z9VgPFmgmKuhCJqUlHhHYGeSzTAOocCAwEAAaOCAXkw
>     ggF1MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgbAMB0GA1UdDgQWBBRnsIqt
>     3wiKG+vmd3CxfBL4c82sgDCBzgYDVR0jBIHGMIHDgBRUmkatFo7oAUl5SJqUCfAC
>     0LpkgKGBp6SBpDCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmdyb24x
>     GjAYBgNVBAcTEUJhaW5icmlkZ2UgSXNsYW5kMRUwEwYDVQQKEwxSR25ldC9QU0du
>     ZXQxFDASBgNVBAsTC0VuZ2luZWVyaW5nMRYwFAYDVQQDEw1SR25ldCBSb290IENB
>     MRwwGgYJKoZIhvcNAQkBFg1yYW5keUBwc2cuY29tggEAMB0GA1UdJQQWMBQGCCsG
>     AQUFBwMBBggrBgEFBQcDAjBGBgNVHREEPzA9ggdwc2cuY29tggt3d3cucHNnLmNv
>     bYIMbWFpbC5wc2cuY29tgglib2d1cy5jb22CDG9wcy5pZXRmLm9yZzANBgkqhkiG
>     9w0BAQUFAAOBgQCxc96FWriyYk8m7iM1aFBHD2yteM8bu+qJNu/2lDu2wVwWaKIM
>     OMJ7d0q38tFtY+ZmXXdygeRsVYmbO4u/k3rj4xxO90hThoxqAdBMiJzn14+iamED
>     rS3at0wt99RF0ktI1Y703YRuyHWPYQLnOSq70JxwY4FQz5qnHyAc4MhbXw==
>     -----END CERTIFICATE-----
>     subject=/C=US/ST=WA/L=Seattle/O=RGnet, LLC/OU=PSGnet Engineering/CN=psg.com/emailAddress=randy@???
>     issuer=/C=US/ST=Washingron/L=Bainbridge Island/O=RGnet/PSGnet/OU=Engineering/CN=RGnet Root CA/emailAddress=randy@???
>     ---
>     No client certificate CA names sent
>     ---
>     SSL handshake has read 2112 bytes and written 453 bytes
>     ---
>     New, TLSv1/SSLv3, Cipher is AES256-SHA
>     Server public key is 2048 bit
>     Compression: NONE
>     Expansion: NONE
>     SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES256-SHA
>     Session-ID: 30FFC0261E0316D8BEE91E2A7109B291604A666F1F4EC7C84AD7562C48C521BA
>     Session-ID-ctx: 
>     Master-Key: 6927A3B8D0D26CF48BF8971063D2F83AE7D1830773C16E07B89A40957890708BA0B77EDE01F3B148E614305034BB27D4
>     Key-Arg   : None
>     Start Time: 1277070371
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
>     ---
>     220 psg.com ESMTP Exim 4.72 Sun, 20 Jun 2010 21:46:11 +0000
>     EHLO rmac.psg.com
>     250-psg.com Hello rmac.psg.com [71.237.195.26]
>     250-SIZE 52428800
>     250-8BITMIME
>     250-PIPELINING
>     250-AUTH PLAIN LOGIN
>     250 HELP
>     MAIL FROM:<randy@???>
>     250 OK
>     RCPT TO:<randy@???>
>     RENEGOTIATING
>     DATA
>     503 valid RCPT command must precede DATA
>     QUIT
>     DONE

>
> but the same happens on a server which works.
>
> and configuring for STARTTLS is the same story.
>
> openssl server side change in algorithm?
>
> randy
>