Hi, It is clear from the output that the SMTP server is not returning the intermediate certificate chain, its a problem on the vodafonemail site. Ciao, Marcus On Mon, Nov 08, 2021 at 11:23:54AM +0100, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Content-ID: <fc1e425c-475a-c162-4b85-b7d97733646@minas-tirith.valinor>
El 2021-11-07 a las 21:03 -0300, Cristian Rodríguez escribió:
On Sun, Nov 7, 2021 at 3:20 PM Achim Gratz <> wrote: Cristian Rodríguez writes: > Works for me.. is your trust store hosed ? > # update-ca-certificates -fv > to rebuild it.
No, I have confirmed the same problem from three different systems by now.
I tried your example verbatim and the handshake was successful..did you configure anything differently than default ?
On Leap 15.2:
cer@minas-tirith:~> openssl s_client -showcerts -starttls smtp -connect smtp.vodafonemail.de:25 -name smtp.vodafonemail.de CONNECTED(00000003) depth=0 CN = www.vodafonemail.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = www.vodafonemail.de verify error:num=21:unable to verify the first certificate verify return:1 - --- Certificate chain 0 s:CN = www.vodafonemail.de i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA - -----BEGIN CERTIFICATE----- MIIIKjCCBxKgAwIBAgIRAMSaOQvw1EiEUuAukU6jRdkwDQYJKoZIhvcNAQELBQAw gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
...
1EfqHZTZ/Phyun2xmPhaSebZcz1ReYaED8xOGQwxztkEXIm/JMnMfYEkJ1OmoHje xYTNn4nMeweTxwi/2eSf0b5zmXkp4gMnkcgAH5iZEgDb3FGOVo/PjShh2lEKLxqe wsT526yJ8ap+u2KmPmJe3Z6PiazpkgxNrAhdmMLU - -----END CERTIFICATE----- - --- Server certificate subject=CN = www.vodafonemail.de
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
- --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits - --- SSL handshake has read 2867 bytes and written 439 bytes Verification error: unable to verify the first certificate - --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) - --- 250 CHUNKING - --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: D64ACAD6A260EFFE3AECD7D24660BE303055E11E823748EAC00F8020A9A9E323 Session-ID-ctx: Resumption PSK: 5AEDD6DD4DA0284D390FF406653B0C8F5CFC4F12E938FFFC6CBD1AA4ABC58872185F66740CB6041A36CF2FE9FBE10A1E PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 5e e2 ea c8 ca a7 b5 42-10 6d 99 e8 4e d9 3a e6 ^......B.m..N.:. 0010 - 96 07 62 11 d8 e2 e0 7e-13 2a f4 23 04 c2 28 74 ..b....~.*.#..(t 0020 - 82 9c 55 2b 57 d7 70 03-c2 ed 54 31 86 ea 34 77 ..U+W.p...T1..4w 0030 - 22 d0 68 8d 14 a0 ef d6-4a 93 ad c5 3e d1 8b 29 ".h.....J...>..) 0040 - 89 74 53 bf 3e 4c e4 20-10 d1 dd d5 9c ff 03 a3 .tS.>L. ........ 0050 - ee f4 85 9f db 52 ff 7a-ef 4e 83 88 a4 e6 4b a0 .....R.z.N....K. 0060 - a7 05 68 68 71 31 0c 7c-99 25 f2 9c 13 dc 1e 47 ..hhq1.|.%.....G 0070 - 82 cc f3 1d a8 bd 1e 5e-d5 04 c6 76 06 fb 63 78 .......^...v..cx 0080 - 2c ab 8f 55 d2 73 06 6c-90 c4 6e 09 44 86 ff 6f ,..U.s.l..n.D..o 0090 - 98 fa c9 3c b3 9d 88 23-0d 2d 3c c4 94 6c ad 9d ...<...#.-<..l.. 00a0 - b5 c3 a8 3d c7 57 73 c1-54 7c 60 51 0a a6 68 ad ...=.Ws.T|`Q..h. 00b0 - a3 1b 2d 4b 11 ac 2e 5e-ed d8 74 32 42 30 98 cc ..-K...^..t2B0.. 00c0 - 3f 84 30 87 fd 6d b5 0c-d9 95 92 87 14 88 a8 9d ?.0..m..........
Start Time: 1636366480 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 - --- read R BLOCK read:errno=0 cer@minas-tirith:~>
- -- Cheers Carlos E. R.
(from openSUSE Leap 15.2 x86_64 (Minas Tirith)) -----BEGIN PGP SIGNATURE-----
iJIEAREIADoWIQQt/vKEw5659AgM/X2NrxRtxRYzXAUCYYj6uhwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJEI2vFG3FFjNcGwUA/i1ntxovHRxFE19IR3l3 zSSQPJ/PX1NYBi4oq90vCWWGAP0c5NZ3Ir3iinWNCTOGxXQyI4ZjAKISDtILCG/R oyPHbg== =cFS8 -----END PGP SIGNATURE-----