Re: tlsa for smtp to @bugs.debian.org

To: Tollef Fog Heen <tfheen@err.no>
Cc: debian-devel@lists.debian.org, debian-admin@lists.debian.org
Subject: Re: tlsa for smtp to @bugs.debian.org
From: James Cloos <cloos@jhcloos.com>
Date: Thu, 12 Sep 2013 15:57:33 -0400
Message-id: <[🔎] m3txhp4xtl.fsf@carbon.jhcloos.org>
In-reply-to: <[🔎] 87txhq8s9s.fsf@qurzaw.varnish-software.com> (Tollef Fog Heen's message of "Thu, 12 Sep 2013 08:31:59 +0200")
References: <[🔎] m3hadq7v5s.fsf@carbon.jhcloos.org> <[🔎] m3bo3y5zno.fsf@carbon.jhcloos.org> <[🔎] 87txhq8s9s.fsf@qurzaw.varnish-software.com>

>>>>> "TFH" == Tollef Fog Heen <tfheen@err.no> writes:

TFH> It's usually a good idea to mail the people who actually run the
TFH> debian.org systems if you want help debugging problems like this.

The first note, as I wrote, was an attempt to confirm whether the
problem was limited to @bugs's MX.

Given the first, it seemed only polite to explain that the issue wasn't
what I thought it were.

>> It turned out that buxtehude's exim doesn't like the (cacert-signed,
>> wildcard) cert my box offers when sending mail.

TFH> 2013-09-12 02:35:44 TLS error on connection from ore.jhcloos.com [198.147.23.85] (gnutls_handshake): The signature algorithm is not supported.

TFH> I'm not entirely sure why that happens, though, given we run very
TFH> similar configurations on buxthehude and the other mail-receiving hosts.

Testing with:

  :; gnutls-cli --verbose --verbose --debug=1 --dane --local-dns \
     --no-ca-verification --starttls --port 25 \
     --x509certfile=/etc/ssl/certs/my_wild_cacert.pem \
     --x509keyfile=my_wild.key \
     buxtehude.debian.org.

works fine:

- Server's trusted authorities:
   [0]: C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,CN=Debian SMTP CA,EMAIL=hostmaster@puppet.debian.org
   [1]: C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,CN=Debian SMTP CA,EMAIL=hostmaster@puppet.debian.org
- Successfully sent 1 certificate(s) to server.
- Description: (TLS1.2-PKIX)-(RSA)-(AES-128-CBC)-(SHA1)
- Session ID: D3:62:75:6A:ED:FC:C5:1C:61:12:F8:1B:06:4F:DD:81:B7:0F:9C:25:36:0C:AA:56:72:CE:9F:02:9C:E1:2C:BF
- Version: TLS1.2
- Key Exchange: RSA
- Client Signature: RSA-SHA256
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Channel binding 'tls-unique': 1eb70f592718d20b6721e52f

Also, openssl can connect with:

  :; openssl s_client  -CAfile /etc/ssl/certs/ca-certificates.crt \
     -starttls smtp -showcerts -debug -state -crlf -tlsextdebug \
     -status -msg -connect buxtehude.debian.org:25

but if I add:

  -key my_wild.key
  -cert /etc/ssl/certs/my_wild_cacert.pem 

it fails.  The result is the same if I use a non-wild cert.

But it works if I use the commercial cert I use for my https site.

A cert with the same RSA size and sha1 sig hash as the cacert.

So this does seem to be an openssl vs gnutls issue.

I'll try to trigger it on a cloud server with debugging turned up and
get a more detailed debug log.

Which release does buxtehude run?  Wheezy? 

-JimC
-- 
James Cloos <cloos@jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

Reply to:

Follow-Ups:
- Re: tlsa for smtp to @bugs.debian.org
  - From: Tollef Fog Heen <tfheen@err.no>
- Re: tlsa for smtp to @bugs.debian.org
  - From: Stephen Gran <sgran@debian.org>

References:
- tlsa for smtp to @bugs.debian.org
  - From: James Cloos <cloos@jhcloos.com>
- Re: tlsa for smtp to @bugs.debian.org
  - From: James Cloos <cloos@jhcloos.com>
- Re: tlsa for smtp to @bugs.debian.org
  - From: Tollef Fog Heen <tfheen@err.no>

Prev by Date: Re: tlsa for smtp to @bugs.debian.org
Next by Date: Re: tlsa for smtp to @bugs.debian.org
Previous by thread: Re: tlsa for smtp to @bugs.debian.org
Next by thread: Re: tlsa for smtp to @bugs.debian.org
Index(es):
- Date
- Thread