Re: [exim] TLS client disconnected cleanly (rejected ourcer…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Arkadiusz Miskiewicz
Datum:  
To: exim-users
Betreff: Re: [exim] TLS client disconnected cleanly (rejected ourcertificate? ) - intermediate ssl certificate problem?
On Friday 27 of May 2011, W B Hacker wrote:
> Arkadiusz Miskiewicz wrote:
> > On Monday 23 of May 2011, Heiko Schlittermann wrote:
> >> Arkadiusz Miskiewicz<arekm@???> (Mon May 23 10:52:11 2011):
> >>> I've replaced rapidssl cert recently with new one. rapidssl started to
> >>> use intermediate certificate. Unfortunately I'm getting in smtp server
> >>> logs (exim 4.76):
> >>>
> >>> (SSL_accept): error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert
> >>> bad certificate
> >>> 2011-05-23 10:42:57 TLS client disconnected cleanly (rejected our
> >>> certificate?)
> >>>
> >>> tls_certificate points to a file which contains 3 certificates:
> >>>
> >>> - cert for my domain issued by: Issuer: C=US, O=GeoTrust, Inc.,
> >>> CN=RapidSSL CA
> >>>
> >>> - intermediate cert:
> >>>          Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
> >>>          Subject: C=US, O=GeoTrust, Inc., CN=RapidSSL CA

> >>>
> >>> - third cert:
> >>>          Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate
> >>>          Authority Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global
> >>>          CA

> >>>
> >>> in exactly that order.
> >>>
> >>> tls_privatekey points to a file with private key.
> >>>
> >>> The question is why "alert bad certificate" comes up if everything
> >>> looks fine, all intermediate certs are provided etc?
> >>
> >> May be you can tell us how to connect the server you're talking about,
> >> some of the problems can be detected from outside.
> >
> > It's smtp-arm.beep.pl
>
> Arkadiusz,
>
> Just sent this post back with an extra line or so.
>
> Worked OK to *port 25* from Hong Kong, Exim 4.73 on OpenBSD 4.9 with log
> entry of:
>
> 2011-05-27 08:38:19 [16457] 1QPsYZ-0007YO-O5 => arekm@???
> F=<wbh@???> P=<wbh@???> R=dnslookup T=remote_smtp
> S=2172 H=mx01.agnat.pl [193.239.44.65]:25 X=TLSv1:DHE-RSA-AES256-SHA:256
> CV=no DN="/C=PL/O=*.agnat.eu/OU=GT03137972/OU=See
> www.rapidssl.com/resources/cps (c)07/OU=Domain Control Validated -
> RapidSSL(R)/CN=*.agnat.eu" C="250 OK id=1QPsYi-00087O-4A" QT=12s DT=10s


This cert expired long time ago and it wasn't using any intermediate cert. The
smtp-arm.beep.pl has new cert which unfortunately uses intermediate one.

> HTH,
>
> Bill Hacker



-- 
Arkadiusz Miśkiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/