[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tlsa for smtp to @bugs.debian.org

>>>>> "TFH" == Tollef Fog Heen <tfheen@err.no> writes:

TFH> It's usually a good idea to mail the people who actually run the
TFH> debian.org systems if you want help debugging problems like this.

The first note, as I wrote, was an attempt to confirm whether the
problem was limited to @bugs's MX.

Given the first, it seemed only polite to explain that the issue wasn't
what I thought it were.

>> It turned out that buxtehude's exim doesn't like the (cacert-signed,
>> wildcard) cert my box offers when sending mail.

TFH> 2013-09-12 02:35:44 TLS error on connection from ore.jhcloos.com [] (gnutls_handshake): The signature algorithm is not supported.

TFH> I'm not entirely sure why that happens, though, given we run very
TFH> similar configurations on buxthehude and the other mail-receiving hosts.

Testing with:

  :; gnutls-cli --verbose --verbose --debug=1 --dane --local-dns \
     --no-ca-verification --starttls --port 25 \
     --x509certfile=/etc/ssl/certs/my_wild_cacert.pem \
     --x509keyfile=my_wild.key \

works fine:

- Server's trusted authorities:
   [0]: C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,CN=Debian SMTP CA,EMAIL=hostmaster@puppet.debian.org
   [1]: C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,CN=Debian SMTP CA,EMAIL=hostmaster@puppet.debian.org
- Successfully sent 1 certificate(s) to server.
- Description: (TLS1.2-PKIX)-(RSA)-(AES-128-CBC)-(SHA1)
- Session ID: D3:62:75:6A:ED:FC:C5:1C:61:12:F8:1B:06:4F:DD:81:B7:0F:9C:25:36:0C:AA:56:72:CE:9F:02:9C:E1:2C:BF
- Version: TLS1.2
- Key Exchange: RSA
- Client Signature: RSA-SHA256
- Cipher: AES-128-CBC
- Compression: NULL
- Channel binding 'tls-unique': 1eb70f592718d20b6721e52f

Also, openssl can connect with:

  :; openssl s_client  -CAfile /etc/ssl/certs/ca-certificates.crt \
     -starttls smtp -showcerts -debug -state -crlf -tlsextdebug \
     -status -msg -connect buxtehude.debian.org:25

but if I add:

  -key my_wild.key
  -cert /etc/ssl/certs/my_wild_cacert.pem 

it fails.  The result is the same if I use a non-wild cert.

But it works if I use the commercial cert I use for my https site.

A cert with the same RSA size and sha1 sig hash as the cacert.

So this does seem to be an openssl vs gnutls issue.

I'll try to trigger it on a cloud server with debugging turned up and
get a more detailed debug log.

Which release does buxtehude run?  Wheezy? 

James Cloos <cloos@jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

Reply to: