[gnutls-help] Setting up secure SMTP connection
John van Kemenade
John.van.Kemenade at concepts.nl
Wed Oct 30 19:38:10 CET 2013
Hi,
My provider requires a secure SMTP connection before authentication can
be issued.
The script I am using to send SMTP messages to my provider doesn't have
this functionality yet.
For debugging I am using gnutls-cli to setup the connection, but I get
the error: *** Fatal error: Error in the certificate.
Since all this certificate thing is very new to me, I have now clue
where to start looking. Is there something wrong with my self-signed
certificate, I am using the right cli paramters etc.
Any help or pointers in the right direction will be appreciated.
0. I am using a slackware 14 distro with GnuTLS 3.0.23
1. I created a self-signed certificate using the commands provided here:
http://www.virtualmin.com/node/12051
openssl genrsa -des3 -out your.servername.com.key 1024
openssl req -new -key your.servername.com.key -out
your.servername.com.csr
cp your.servername.com.key your.servername.com.key.org
openssl rsa -in your.servername.com.key.org -out your.servername.com.key
openssl x509 -req -days 365 -in your.servername.com.csr -signkey
your.servername.com.key -out your.servername.com.crt
where your.servername.com has been subsituted by the FQDN of my machine
2. command issued to setup the connection to the SMTP server:
gnutls-cli -d 10 --starttls --x509certfile
demeter.kemenade.no-ip.org.crt --port 587 smtp.concepts.nl
3. results
|<2>| ASSERT: pkcs11.c:459
Processed 151 CA certificate(s).
Processed 1 client X.509 certificates...
Resolving 'smtp.concepts.nl'...
Connecting to '213.197.24.111:587'...
|<4>| REC[0x1f72080]: Allocating epoch #0
- Simple Client Mode:
220-smtp-4.concepts.nl ESMTP Exim 4.72 Wed, 30 Oct 2013 19:29:55 +0100
220- Sending spam or unsolicited commercial e-mail to this server is
strictly
220- prohibited by our NO UBE / NO UCE policy. Abuse will be prosecuted
and/or
220 charged per attempted recipient at international postal rates.
ehlo john
250-smtp-4.concepts.nl Hello 5571f416.ftth.concepts.nl [85.113.244.22]
250-SIZE 52428800
250-PIPELINING
250-STARTTLS
250 HELP
starttls
220 TLS go ahead
*** Starting TLS handshake
|<2>| ASSERT: gnutls_constate.c:717
|<4>| REC[0x1f72080]: Allocating epoch #1
|<3>| HSK[0x1f72080]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA1
(C0.09)
|<3>| HSK[0x1f72080]: Keeping ciphersuite:
ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
|<3>| HSK[0x1f72080]: Keeping ciphersuite:
ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA1
(C0.0A)
|<3>| HSK[0x1f72080]: Keeping ciphersuite:
ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24)
|<3>| HSK[0x1f72080]: Keeping ciphersuite:
ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: ECDHE_ECDSA_3DES_EDE_CBC_SHA1
(C0.08)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA1
(C0.13)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA256
(C0.27)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: ECDHE_RSA_AES_128_GCM_SHA256
(C0.2F)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA1
(C0.14)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: ECDHE_RSA_AES_256_GCM_SHA384
(C0.30)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: ECDHE_RSA_3DES_EDE_CBC_SHA1
(C0.12)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
(00.33)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
(00.67)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
(00.45)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: DHE_RSA_AES_128_GCM_SHA256
(00.9E)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
(00.39)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
(00.6B)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
(00.88)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
(00.16)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
(00.32)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
(00.40)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
(00.44)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: DHE_DSS_AES_128_GCM_SHA256
(00.A2)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
(00.38)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
(00.6A)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
(00.87)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
(00.13)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 (00.66)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 (00.2F)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
(00.3C)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
(00.41)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: RSA_AES_128_GCM_SHA256
(00.9C)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 (00.35)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
(00.3D)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
(00.84)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 (00.0A)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 (00.05)
|<3>| HSK[0x1f72080]: Keeping ciphersuite: RSA_ARCFOUR_MD5 (00.04)
|<3>| EXT[0x1f72080]: Sending extension SERVER NAME (21 bytes)
|<3>| EXT[0x1f72080]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<3>| EXT[0x1f72080]: Sending extension SUPPORTED ECC (12 bytes)
|<3>| EXT[0x1f72080]: Sending extension SUPPORTED ECC POINT FORMATS (2
bytes)
|<3>| EXT[0x1f72080]: sent signature algo (4.1) RSA-SHA256
|<3>| EXT[0x1f72080]: sent signature algo (4.2) DSA-SHA256
|<3>| EXT[0x1f72080]: sent signature algo (4.3) ECDSA-SHA256
|<3>| EXT[0x1f72080]: sent signature algo (5.1) RSA-SHA384
|<3>| EXT[0x1f72080]: sent signature algo (5.3) ECDSA-SHA384
|<3>| EXT[0x1f72080]: sent signature algo (6.1) RSA-SHA512
|<3>| EXT[0x1f72080]: sent signature algo (6.3) ECDSA-SHA512
|<3>| EXT[0x1f72080]: sent signature algo (3.1) RSA-SHA224
|<3>| EXT[0x1f72080]: sent signature algo (3.2) DSA-SHA224
|<3>| EXT[0x1f72080]: sent signature algo (3.3) ECDSA-SHA224
|<3>| EXT[0x1f72080]: sent signature algo (2.1) RSA-SHA1
|<3>| EXT[0x1f72080]: sent signature algo (2.2) DSA-SHA1
|<3>| EXT[0x1f72080]: sent signature algo (2.3) ECDSA-SHA1
|<3>| EXT[0x1f72080]: Sending extension SIGNATURE ALGORITHMS (28 bytes)
|<3>| HSK[0x1f72080]: CLIENT HELLO was queued [209 bytes]
|<7>| HWRITE: enqueued [CLIENT HELLO] 209. Total 209 bytes.
|<7>| HWRITE FLUSH: 209 bytes in buffer.
|<4>| REC[0x1f72080]: Preparing Packet Handshake(22) with length: 209
|<9>| ENC[0x1f72080]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
|<7>| WRITE: enqueued 214 bytes for 0x4. Total 214 bytes.
|<4>| REC[0x1f72080]: Sent Packet[1] Handshake(22) in epoch 0 and
length: 214
|<7>| HWRITE: wrote 1 bytes, 0 bytes left.
|<7>| WRITE FLUSH: 214 bytes in buffer.
|<7>| WRITE: wrote 214 bytes, 0 bytes left.
|<2>| ASSERT: gnutls_buffers.c:976
|<7>| READ: Got 5 bytes from 0x4
|<7>| READ: read 5 bytes from 0x4
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[0x1f72080]: SSL 3.1 Handshake packet received. Epoch 0,
length: 81
|<4>| REC[0x1f72080]: Expected Packet Handshake(22)
|<4>| REC[0x1f72080]: Received Packet Handshake(22) with length: 81
|<7>| READ: Got 81 bytes from 0x4
|<7>| READ: read 81 bytes from 0x4
|<7>| RB: Have 5 bytes into buffer. Adding 81 bytes.
|<7>| RB: Requested 86 bytes
|<4>| REC[0x1f72080]: Decrypted Packet[0] Handshake(22) with length: 81
|<6>| BUF[REC]: Inserted 81 bytes of Data(22)
|<3>| HSK[0x1f72080]: SERVER HELLO was received. Length 77[77], frag
offset 0, frag length: 77, sequence: 0
|<3>| HSK[0x1f72080]: Server's version: 3.1
|<3>| HSK[0x1f72080]: SessionID length: 32
|<3>| HSK[0x1f72080]: SessionID:
bebaeca87a11d38bcf8dbccaf146c07a7d8e9f755f9cda0508d24f353d84ca3d
|<3>| HSK[0x1f72080]: Selected cipher suite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x1f72080]: Selected compression method: NULL (0)
|<3>| EXT[0x1f72080]: Parsing extension 'SAFE RENEGOTIATION/65281' (1
bytes)
|<3>| HSK[0x1f72080]: Safe renegotiation succeeded
|<2>| ASSERT: gnutls_buffers.c:976
|<7>| READ: Got 5 bytes from 0x4
|<7>| READ: read 5 bytes from 0x4
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[0x1f72080]: SSL 3.1 Handshake packet received. Epoch 0,
length: 1474
|<4>| REC[0x1f72080]: Expected Packet Handshake(22)
|<4>| REC[0x1f72080]: Received Packet Handshake(22) with length: 1474
|<7>| READ: Got 1474 bytes from 0x4
|<7>| READ: read 1474 bytes from 0x4
|<7>| RB: Have 5 bytes into buffer. Adding 1474 bytes.
|<7>| RB: Requested 1479 bytes
|<4>| REC[0x1f72080]: Decrypted Packet[1] Handshake(22) with length:
1474
|<6>| BUF[REC]: Inserted 1474 bytes of Data(22)
|<3>| HSK[0x1f72080]: CERTIFICATE was received. Length 1470[1470], frag
offset 0, frag length: 1470, sequence: 0
|<2>| ASSERT: verify.c:410
|<2>| ASSERT: verify.c:674
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- The hostname in the certificate matches 'smtp.concepts.nl'.
*** Verifying server certificate failed...
|<2>| ASSERT: gnutls_kx.c:688
|<2>| ASSERT: gnutls_handshake.c:2517
*** Fatal error: Error in the certificate.
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- |<2>| ASSERT: dn.c:286
|<2>| ASSERT: dn.c:286
subject `C=NL,postalCode=4817 KK,ST=Noord-Brabant,L=Breda,STREET=St.
Ignatiusstraat 265,O=Concepts ICT,OU=Techniek,OU=Instant
SSL,CN=smtp.concepts.nl', issuer `C=GB,ST=Greater
Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO High-Assurance Secure
Server CA', RSA key 2048 bits, signed using RSA-SHA1, activated
`2013-09-05 00:00:00 UTC', expires `2014-09-05 23:59:59 UTC', SHA-1
fingerprint `87143482688d48072e90464acbf1141b3c6e4b35'
Public Key Id:
fd82f5d21e736f21b3f20070930e6709ee0238a3
Public key's random art:
+--[ RSA 2048]----+
| . |
| . . . o |
| + . + B |
|. o . . B.. |
|E . .Soo |
| . o.+ o . |
| . o.* = .|
| =.= ..|
| +. ..|
+-----------------+
|<4>| REC: Sending Alert[2|42] - Certificate is bad
|<4>| REC[0x1f72080]: Preparing Packet Alert(21) with length: 2
|<9>| ENC[0x1f72080]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
|<7>| WRITE: enqueued 7 bytes for 0x4. Total 7 bytes.
|<7>| WRITE FLUSH: 7 bytes in buffer.
|<7>| WRITE: wrote 7 bytes, 0 bytes left.
|<4>| REC[0x1f72080]: Sent Packet[2] Alert(21) in epoch 0 and length: 7
*** Handshake has failed
Any help would be appreciated
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20131030/917d5d48/attachment-0001.html>
More information about the Gnutls-help
mailing list