Re: tlsa for smtp to @bugs.debian.org
>>>>> "TFH" == Tollef Fog Heen <tfheen@err.no> writes:
TFH> It's usually a good idea to mail the people who actually run the
TFH> debian.org systems if you want help debugging problems like this.
The first note, as I wrote, was an attempt to confirm whether the
problem was limited to @bugs's MX.
Given the first, it seemed only polite to explain that the issue wasn't
what I thought it were.
>> It turned out that buxtehude's exim doesn't like the (cacert-signed,
>> wildcard) cert my box offers when sending mail.
TFH> 2013-09-12 02:35:44 TLS error on connection from ore.jhcloos.com [198.147.23.85] (gnutls_handshake): The signature algorithm is not supported.
TFH> I'm not entirely sure why that happens, though, given we run very
TFH> similar configurations on buxthehude and the other mail-receiving hosts.
Testing with:
:; gnutls-cli --verbose --verbose --debug=1 --dane --local-dns \
--no-ca-verification --starttls --port 25 \
--x509certfile=/etc/ssl/certs/my_wild_cacert.pem \
--x509keyfile=my_wild.key \
buxtehude.debian.org.
works fine:
- Server's trusted authorities:
[0]: C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,CN=Debian SMTP CA,EMAIL=hostmaster@puppet.debian.org
[1]: C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,CN=Debian SMTP CA,EMAIL=hostmaster@puppet.debian.org
- Successfully sent 1 certificate(s) to server.
- Description: (TLS1.2-PKIX)-(RSA)-(AES-128-CBC)-(SHA1)
- Session ID: D3:62:75:6A:ED:FC:C5:1C:61:12:F8:1B:06:4F:DD:81:B7:0F:9C:25:36:0C:AA:56:72:CE:9F:02:9C:E1:2C:BF
- Version: TLS1.2
- Key Exchange: RSA
- Client Signature: RSA-SHA256
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Channel binding 'tls-unique': 1eb70f592718d20b6721e52f
Also, openssl can connect with:
:; openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt \
-starttls smtp -showcerts -debug -state -crlf -tlsextdebug \
-status -msg -connect buxtehude.debian.org:25
but if I add:
-key my_wild.key
-cert /etc/ssl/certs/my_wild_cacert.pem
it fails. The result is the same if I use a non-wild cert.
But it works if I use the commercial cert I use for my https site.
A cert with the same RSA size and sha1 sig hash as the cacert.
So this does seem to be an openssl vs gnutls issue.
I'll try to trigger it on a cloud server with debugging turned up and
get a more detailed debug log.
Which release does buxtehude run? Wheezy?
-JimC
--
James Cloos <cloos@jhcloos.com> OpenPGP: 1024D/ED7DAEA6
Reply to: