在我们的发送邮件服务器上,我们最近升级到了Debian Squeeze(stable),而且我们在TLS身份validation方面遇到了一些奇怪的问题。 我怀疑这可能是OpenSSL的一个问题,或者也许是我试图让事情再次运行之后,用TLS来修补。 但是,我用一个精细的齿梳去了Exim的configuration,并通过了原来的configuration清单来通过TLS进行身份validation,而且一些客户端仍然有问题。
我们遇到的具体问题是Gnome Evolution,Mozilla Thunderbird和Eudora拒绝使用TLS进行身份validation。 Outlook和Outlook Express似乎没有问题,并且表示连接到服务器的大部分客户端,但其他客户端正确使用SSL。
以Thunderbird为例,当我尝试使用STARTTLS和encryption密码进行连接时,会产生错误消息“连接中发生错误:25.对等方的公共密钥无效(错误代码:sec_error_bad_key) ”。 对于我来说,在Eximconfiguration中找不到使用公钥的情况,OpenSSL不再使用公钥,而是将公钥作为私钥的一部分,并使用中间CA证书。
我做的其他testing:
我可以使用swaks来成功进行身份validation:
$ swaks -s smtp.lightspeed.ca -p 25 --ehlo office.lightspeed.ca -au <myuser> -ap <mypass> -t <myaddress> -f <myaddress> === Trying smtp.lightspeed.ca:25... === Connected to smtp.lightspeed.ca. <- 220 ns2.lightspeed.ca ESMTP Exim 4.72 Thu, 31 Mar 2011 08:52:20 -0700 -> EHLO office.lightspeed.ca <- 250-ns2.lightspeed.ca Hello office.lightspeed.ca [65.110.29.154] <- 250-SIZE 52428800 <- 250-PIPELINING <- 250-AUTH PLAIN LOGIN <- 250-STARTTLS <- 250 HELP -> AUTH LOGIN <- 334 <encrypted> -> <encrypted> <- 334 <encrypted> -> <encrypted> <- 235 Authentication succeeded -> MAIL FROM:<myaddress> <- 250 OK -> RCPT TO:<myaddress> <- 250 Accepted -> DATA <- 354 Enter message, ending with "." on a line by itself -> Date: Thu, 31 Mar 2011 08:52:15 -0699 -> To: <myaddress> -> From: <myaddress> -> Subject: test Thu, 31 Mar 2011 08:52:15 -0699 -> X-Mailer: swaks v20100211.0 jetmore.org/john/code/swaks/ -> -> This is a test mailing -> -> . <- 250 OK id=1Q5KAW-0005Ep-TX -> QUIT <- 221 ns2.lightspeed.ca closing connection === Connection closed with remote host. 正如你在这里看到的,Exim服务器提供了STARTTLS和PLAIN和LOGINauthentication方法。 而authentication工作。
如果我尝试OpenSSL方法,则连接失败:
$ openssl s_client -starttls smtp -crlf -connect smtp.lightspeed.ca:25 CONNECTED(00000003) depth=0 /serialNumber=EGKZzrdW-EpuM5jI3QaVFSdRqKZSh4QW/C=CA/O=ns2.lightspeed.ca/OU=GT90526192/OU=See www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated - QuickSSL(R)/CN=ns2.lightspeed.ca verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /serialNumber=EGKZzrdW-EpuM5jI3QaVFSdRqKZSh4QW/C=CA/O=ns2.lightspeed.ca/OU=GT90526192/OU=See www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated - QuickSSL(R)/CN=ns2.lightspeed.ca verify error:num=27:certificate not trusted verify return:1 depth=0 /serialNumber=EGKZzrdW-EpuM5jI3QaVFSdRqKZSh4QW/C=CA/O=ns2.lightspeed.ca/OU=GT90526192/OU=See www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated - QuickSSL(R)/CN=ns2.lightspeed.ca verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/serialNumber=EGKZzrdW-EpuM5jI3QaVFSdRqKZSh4QW/C=CA/O=ns2.lightspeed.ca/OU=GT90526192/OU=See www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated - QuickSSL(R)/CN=ns2.lightspeed.ca i:/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA --- Server certificate -----BEGIN CERTIFICATE----- <certificate> -----END CERTIFICATE----- subject=/serialNumber=EGKZzrdW-EpuM5jI3QaVFSdRqKZSh4QW/C=CA/O=ns2.lightspeed.ca/OU=GT90526192/OU=See www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated - QuickSSL(R)/CN=ns2.lightspeed.ca issuer=/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA --- Acceptable client certificate CA names /C=BR/O=ICP-Brasil/OU=Instituto Nacional de Tecnologia da Informacao - ITI/L=Brasilia/ST=DF/CN=Autoridade Certificadora Raiz Brasileira /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[email protected] /O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root /O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[email protected] /C=DE/ST=Hessen/L=Fulda/O=Debconf/CN=Debconf CA/[email protected] /C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/[email protected] /C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/[email protected] /C=US/ST=DC/L=Washington/O=ABA.ECOM, INC./CN=ABA.ECOM Root CA/[email protected] /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root /C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root /C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Public CA Root /C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Qualified CA Root /C=US/O=America Online Inc./CN=America Online Root Certification Authority 1 /C=US/O=America Online Inc./CN=America Online Root Certification Authority 2 /C=US/O=AOL Time Warner Inc./OU=America Online Inc./CN=AOL Time Warner Root Certification Authority 1 /C=US/O=AOL Time Warner Inc./OU=America Online Inc./CN=AOL Time Warner Root Certification Authority 2 /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root /O=beTRUSTed/OU=beTRUSTed Root CAs/CN=beTRUSTed Root CA-Baltimore Implementation /C=WW/O=beTRUSTed/CN=beTRUSTed Root CAs/CN=beTRUSTed Root CA /O=beTRUSTed/OU=beTRUSTed Root CAs/CN=beTRUSTed Root CA - Entrust Implementation /O=beTRUSTed/OU=beTRUSTed Root CAs/CN=beTRUSTed Root CA - RSA Implementation /C=EU/O=AC Camerfirma SA CIF A82743287/OU=http://www.chambersign.org/CN=Chambers of Commerce Root /C=EU/O=AC Camerfirma SA CIF A82743287/OU=http://www.chambersign.org/CN=Global Chambersign Root /C=FR/O=Certplus/CN=Class 2 Primary CA /C=PL/O=Unizeto Sp. z oo/CN=Certum CA /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=Secure Certificate Services /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=Trusted Certificate Services /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA /C=US/O=Digital Signature Trust Co./OU=DSTCA E1 /C=us/ST=Utah/L=Salt Lake City/O=Digital Signature Trust Co./OU=DSTCA X1/CN=DST RootCA X1/[email protected] /C=US/O=Digital Signature Trust Co./OU=DSTCA E2 /C=us/ST=Utah/L=Salt Lake City/O=Digital Signature Trust Co./OU=DSTCA X2/CN=DST RootCA X2/[email protected] /C=US/O=Digital Signature Trust/OU=DST ACES/CN=DST ACES CA X6 /O=Digital Signature Trust Co./CN=DST Root CA X3 /O=Entrust.net/OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.)/OU=(c) 2000 Entrust.net Limited/CN=Entrust.net Client Certification Authority /O=Entrust.net/OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.)/OU=(c) 2000 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) /C=US/O=Entrust.net/OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab./OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Client Certification Authority /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority /C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority /C=US/O=Equifax/OU=Equifax Secure Certificate Authority /C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1 /C=US/O=Equifax Secure/OU=Equifax Secure eBusiness CA-2 /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1 /C=ES/L=C/ Muntaner 244 Barcelona/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068/[email protected] /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA /C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2 /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=GTE Corporation/CN=GTE CyberTrust Root /C=ES/ST=Barcelona/L=Barcelona/O=IPS Internet publishing Services sl/[email protected] CIF B-60929452/OU=IPS CA Chained CAs Certification Authority/CN=IPS CA Chained CAs Certification Authority/[email protected] /C=ES/ST=Barcelona/L=Barcelona/O=IPS Internet publishing Services sl/[email protected] CIF B-60929452/OU=IPS CA CLASE1 Certification Authority/CN=IPS CA CLASE1 Certification Authority/[email protected] /C=ES/ST=Barcelona/L=Barcelona/O=IPS Internet publishing Services sl/[email protected] CIF B-60929452/OU=IPS CA CLASE3 Certification Authority/CN=IPS CA CLASE3 Certification Authority/[email protected] /C=ES/ST=Barcelona/L=Barcelona/O=IPS Internet publishing Services sl/[email protected] CIF B-60929452/OU=IPS CA CLASEA1 Certification Authority/CN=IPS CA CLASEA1 Certification Authority/[email protected] /C=ES/ST=Barcelona/L=Barcelona/O=IPS Internet publishing Services sl/[email protected] CIF B-60929452/OU=IPS CA CLASEA3 Certification Authority/CN=IPS CA CLASEA3 Certification Authority/[email protected] /C=ES/ST=BARCELONA/L=BARCELONA/O=IPS Seguridad CA/OU=Certificaciones/CN=IPS SERVIDORES/[email protected] /C=ES/ST=Barcelona/L=Barcelona/O=IPS Internet publishing Services sl/[email protected] CIF B-60929452/OU=IPS CA Timestamping Certification Authority/CN=IPS CA Timestamping Certification Authority/[email protected] /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Uzleti (Class B) Tanusitvanykiado /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Expressz (Class C) Tanusitvanykiado /C=HU/ST=Hungary/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado/[email protected] /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3 /C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 3 Policy Validation Authority/CN=http://www.valicert.com//[email protected] /O=RSA Security Inc/OU=RSA Security 1024 V3 /O=RSA Security Inc/OU=RSA Security 2048 V3 /C=US/O=SecureTrust Corporation/CN=Secure Global CA /C=US/O=SecureTrust Corporation/CN=SecureTrust CA /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1 /C=FI/O=Sonera/CN=Sonera Class1 CA /C=FI/O=Sonera/CN=Sonera Class2 CA /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority /C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/[email protected] /C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root CA 1 /C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2 /C=CH/O=SwissSign AG/CN=SwissSign Platinum CA - G2 /C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2 /C=TW/O=Government Root Certification Authority /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data Networks GmbH/OU=TC TrustCenter Class 2 CA/[email protected] /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data Networks GmbH/OU=TC TrustCenter Class 3 CA/[email protected] /C=DK/O=TDC Internet/OU=TDC Internet Root CA /C=DK/O=TDC/CN=TDC OCES CA /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Basic CA/[email protected] /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/[email protected] /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Premium CA/[email protected] /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected] /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/[email protected] /C=ZA/ST=Western Cape/L=Durbanville/O=Thawte/OU=Thawte Certification/CN=Thawte Timestamping CA /CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=ANKARA/O=(c) 2005 T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. /CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=Ankara/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Kas\xC4\xB1m 2005 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Client Authentication and Email /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Network Applications /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Object /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 1 Policy Validation Authority/CN=http://www.valicert.com//[email protected] /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected] /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 1 Public Primary Certification Authority - G3 /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 2 Public Primary Certification Authority - G3 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 4 Public Primary Certification Authority - G3 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority /O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)00/CN=VeriSign Time Stamping Authority CA /C=US/O=VISA/OU=Visa International Service Association/CN=Visa eCommerce Root /C=US/O=VISA/OU=Visa International Service Association/CN=GP Root 2 /C=US/O=Wells Fargo/OU=Wells Fargo Certification Authority/CN=Wells Fargo Root Certificate Authority /C=US/OU=www.xrampsecurity.com/O=XRamp Security Services Inc/CN=XRamp Global Certification Authority /C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority /C=PL/O=TP Internet Sp. z oo/OU=Centrum Certyfikacji Signet/CN=CC Signet - CA Klasa 1 /C=PL/O=TP Internet Sp. z oo/OU=Centrum Certyfikacji Signet/CN=CC Signet - CA Klasa 2 /C=PL/O=TP Internet Sp. z oo/CN=CC Signet - CA Klasa 3/serialNumber=Numer wpisu: 4 /C=PL/O=TP Internet Sp. z oo/OU=Centrum Certyfikacji Signet/CN=CC Signet - OCSP Klasa 2 /C=PL/O=TP Internet Sp. z oo/OU=Centrum Certyfikacji Signet/CN=CC Signet - OCSP Klasa 3 /C=PL/O=TP Internet Sp. z oo/OU=Centrum Certyfikacji Signet/CN=CC Signet - PCA Klasa 2 /C=PL/O=TP Internet Sp. z oo/OU=Centrum Certyfikacji Signet/CN=CC Signet - PCA Klasa 3 /C=PL/O=TP Internet Sp. z oo/OU=Centrum Certyfikacji Signet/CN=CC Signet - RootCA /C=PL/O=TP Internet Sp. z oo/OU=Centrum Certyfikacji Signet/CN=CC Signet - TSA Klasa 1 /C=US/ST=Indiana/L=Indianapolis/O=Software in the Public Interest/OU=hostmaster/CN=Certification Authority/[email protected] /C=US/ST=Indiana/L=Indianapolis/O=Software in the Public Interest/OU=hostmaster/CN=Certificate Authority/[email protected] /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 --- SSL handshake has read 22345 bytes and written 468 bytes --- New, TLSv1/SSLv3, Cipher is DHE-DSS-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-DSS-AES256-SHA Session-ID: 510F41918AD4A65D88A43BC6ED66651F98842EBBF7975295F6808342F9AE7067 Session-ID-ctx: Master-Key: 53D1F9E30DC867D662BC2F859B79319294F67D7EB8753237A181DBE41C84B69EF00721F63BFC8938613EB7B694D8C53F Key-Arg : None Start Time: 1301593832 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- 250 HELP quit 221 ns2.lightspeed.ca closing connection closed
将-showcerts选项用于openssl s_client命令。 它打印出整个服务器提供的证书链,而不仅仅是服务器证书(它也显示了中间体)。 在你的情况下,错误只是表示你没有安装必要的中间证书和服务器证书。 正如前面提到的海报,你必须连接服务器和中间证书 – 实际上,作为一个最佳实践,也要加上根证书,以便服务器将呈现整个链,而不仅仅是单独的叶证书。 服务器证书不能独立存在,因为中间件不是特别可信的,只有根证书是可信的。 你必须完全追溯到其中之一。 一旦链接正确,openssl s_clienttesting将显示“链中的自签名证书”或“validation好”,但不能“找不到本地颁发者证书” – 至less如果你绑定了根证书,这是我build议的。
首先,你的openssl s_client连接没有失败,它说它使用DHE-DSS-AES256-SHA密码成功地协商了TLSv1encryption。 然后你告诉它退出。
OpenSSL 确实抱怨你的证书。 您的证书由GeoTrust DV SSL CA签名,OpenSSL似乎不知道。 要么有一个中间证书(这是您的列表中的CA签署的“GeoTrust DV SSL CA证书”),您需要在证书的最后附加证书文件 ,或者需要更新openssl的可信CA列表(在debian中,这是使用ca-certificates包完成的)。 请注意,Firefox维护自己的可信证书颁发机构。
从GeoTrust获取中间证书并设置使用它可能是比告诉所有客户更新其可信的CA证书列表更好的解决scheme。
来自openssl s_client的“可接受的客户端CA名称”消息指示exim正在询问您的客户端是否有证书,并且该证书需要来自其中一个CA(“那些CA”是在tls_verify_certificatesconfiguration的CA列表)。 如果您没有使用客户端证书来识别您的用户,请禁用exim中的任何tls_try_verify_*设置,然后重试。
看起来您正在使用自签名证书。 客户端软件通常不会信任这些密钥。 如果您可以安排将您的CA证书添加到客户的信任链,那么您应该没有问题。 否则,用户第一次使用时需要接受证书。
通常,接受对话框将默认永久接受exception。 Thunderbird以这种方式工作,但似乎要求您接受一次IMAP / POP服务器和一次SMTP服务器,即使使用相同的证书。 Eudora和Exchange应该以同样的方式工作。
从我所看到的大多数电子邮件服务器不validation提供的证书。 如果他们这样做,你将需要configuration一个ACL,以防止向这些服务器提供StartTLS。
编辑:OpenSSL信任的证书保存在一个目录( /etc/ssl/certs在Ubuntu上)。 证书通常根据签名机构命名。 还有一个基于密钥散列的符号链接,用于查找。 您可以添加自己的可信证书。
我已经看到,我的大多数系统在他们的ca-certificates软件包/软件包中都没有捆绑Thawte / Geotrust最新/安全的根证书。 他们有两个包含所有证书的网站: