Some time between three weeks ago and about a week ago (I was away for a few days inbetween) something changed (on both my Tumbleweed machines) something changed in the way certificates get checked for one of the mail servers I'm using: --8<---------------cut here---------------start------------->8--- ~> openssl s_client -showcerts -starttls smtp -connect smtp.vodafonemail.de:25 -name smtp.vodafonemail.de CONNECTED(00000003) depth=0 CN = www.vodafonemail.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = www.vodafonemail.de verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = www.vodafonemail.de verify return:1 --- Certificate chain 0 s:CN = www.vodafonemail.de i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA -----BEGIN CERTIFICATE----- MIIIKjCCBxKgAwIBAgIRAMSaOQvw1EiEUuAukU6jRdkwDQYJKoZIhvcNAQELBQAw gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD QTAeFw0yMDEwMTkwMDAwMDBaFw0yMTExMTkyMzU5NTlaMB4xHDAaBgNVBAMTE3d3 dy52b2RhZm9uZW1haWwuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDlRI2/4Ctq02gGw6gfmX6A6NZn768AghOawnPI0XTWX45J0+Wi+AVdY+Ptnmfg Gx8liOFsukceGUzUTjSHjolJ8wbqkg7ksBXUXn/JAE9hHdLi3VR5Vz7FuVotEmQK DOsl9sDCJo2xKlOM4X4iyM6yPR00KIqEdq9hvumS1yeSpkPhYSqeEujpEFVhW/6p WUT8ZXNtkCoSAdjJxTyptynT8FAb7osgNIIZL1FXlSyL3tQRBrFcGzbl7GNTeTGf zlyVjvIxp8UiLo4Fr7y0lS+i/32qw+yrURoJXirG6CkJDDTz8vkxoHSie64g/QoW 5PcQwxKNoQLMMVFVzl1+qPz1AgMBAAGjggTvMIIE6zAfBgNVHSMEGDAWgBSNjF7E VK2K4Xfpm/mbBeG4AY1h4TAdBgNVHQ4EFgQU3SQkfaoTlUaHdQG8YlDEJJ3LmkIw DgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUH AwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAgcwJTAjBggrBgEF BQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIBMIGEBggrBgEF BQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2Vj dGlnb1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwIwYIKwYB BQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMIIBAwYKKwYBBAHWeQIEAgSB 9ASB8QDvAHUAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF1QGws EQAABAMARjBEAiBVx0PrXrRxj6SIh9LGky6vmRkrbGkXukWEK6KsVpVZdwIgBLJ/ MURzXMyJDY1LvctAg+7MW24DTjEazHJ+OeL4KyIAdgCUILwejtWNbIhzH4KLIiwN 0dpNXmxPlD1h204vWE2iwgAAAXVAbCw7AAAEAwBHMEUCIQCseMcMcDnqcOAhxkZ4 nxusnNQkzxUm9Zlyre5NAoRxlwIgC76L67KAcv0ulaklKJJb4v/1TNjY0o85m9Ga NhcvOgQwggKRBgNVHREEggKIMIIChIITd3d3LnZvZGFmb25lbWFpbC5kZYIVYXV0 b2Rpc2NvdmVyLmFyY29yLmRlghlhdXRvZGlzY292ZXIua2FiZWxtYWlsLmRlghhh dXRvZGlzY292ZXIudm9kYWZvbmUuZGWCHGF1dG9kaXNjb3Zlci52b2RhZm9uZW1h aWwuZGWCDWltYXAuYXJjb3IuZGWCEWltYXAua2FiZWxtYWlsLmRlghBpbWFwLnZv ZGFmb25lLmRlghRpbWFwLnZvZGFmb25lbWFpbC5kZYIVbG9naW4udm9kYWZvbmVt YWlsLmRlgg1tYWlsLmFyY29yLmRlghBtYWlsLnZvZGFmb25lLmRlghNteDEudm9k YWZvbmVtYWlsLmRlghNteDIudm9kYWZvbmVtYWlsLmRlghNteDMudm9kYWZvbmVt YWlsLmRlghNteDQudm9kYWZvbmVtYWlsLmRlggxwb3AuYXJjb3IuZGWCD3BvcC52 b2RhZm9uZS5kZYITcG9wLnZvZGFmb25lbWFpbC5kZYINcG9wMy5hcmNvci5kZYIR cG9wMy5rYWJlbG1haWwuZGWCEHBvcDMudm9kYWZvbmUuZGWCFHBvcDMudm9kYWZv bmVtYWlsLmRlgg1zbXRwLmFyY29yLmRlghFzbXRwLmthYmVsbWFpbC5kZYIQc210 cC52b2RhZm9uZS5kZYIUc210cC52b2RhZm9uZW1haWwuZGWCEHNzby5rYWJlbG1h aWwuZGWCE3dlYmRhdi5rYWJlbG1haWwuZGWCFndlYmRhdi52b2RhZm9uZW1haWwu ZGWCFHdpa2kudm9kYWZvbmVtYWlsLmRlghB3d3cua2FiZWxtYWlsLmRlMA0GCSqG SIb3DQEBCwUAA4IBAQAaRpwtomQFeU/oS7Cg56NHLNTJ82t9TRQeqUrvkA9Pc2ci sVJmV6/t3I5R/LrmZ0Nn1AVfsoQKAo8om8MoKJMmpi5VgjAB57DnMMTGgdC2vfz5 LeR0AsB9TjOZC0MZLeBXRYRzgk1g3OIkVyhiNU1wh2KvYCMuoX9UVnMldodgZAuc 1EfqHZTZ/Phyun2xmPhaSebZcz1ReYaED8xOGQwxztkEXIm/JMnMfYEkJ1OmoHje xYTNn4nMeweTxwi/2eSf0b5zmXkp4gMnkcgAH5iZEgDb3FGOVo/PjShh2lEKLxqe wsT526yJ8ap+u2KmPmJe3Z6PiazpkgxNrAhdmMLU -----END CERTIFICATE----- --- Server certificate subject=CN = www.vodafonemail.de issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA --8<---------------cut here---------------end--------------->8--- The interesting thing is that both kmail and Firefox don't seem to have that problem and follow the chain to the trust anchor, but Emacs (via gnutls) and openssl (as shown above) fail to verify the start of the cert chain and error out. What's going on here? Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Factory and User Sound Singles for Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#WaldorfSounds
Hi, I'd say is configuration issue on the server: The Sectigo RSA Domain Validation Secure Server CA is an intermediate CA that is typically not in your local set of trusted certificates (probably /var/lib/ca-certificates/ca-bundle.pem). Normally the server should send the intermediate along. kmail and firefox probably have it either cached from a previous use or perhaps have it by default in their truststore. I know that thunderbird seemed to add intermediates it receives and try to reuse those in later sessions. But in any case, the server should send the intermediate Sectigo CA cert. Best wishes, Mischa On Sun, Nov 7, 2021 at 11:52 AM Achim Gratz <Stromeko@nexgo.de> wrote:
Some time between three weeks ago and about a week ago (I was away for a few days inbetween) something changed (on both my Tumbleweed machines) something changed in the way certificates get checked for one of the mail servers I'm using:
--8<---------------cut here---------------start------------->8--- ~> openssl s_client -showcerts -starttls smtp -connect smtp.vodafonemail.de:25 -name smtp.vodafonemail.de CONNECTED(00000003) depth=0 CN = www.vodafonemail.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = www.vodafonemail.de verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = www.vodafonemail.de verify return:1 --- Certificate chain 0 s:CN = www.vodafonemail.de i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA -----BEGIN CERTIFICATE----- MIIIKjCCBxKgAwIBAgIRAMSaOQvw1EiEUuAukU6jRdkwDQYJKoZIhvcNAQELBQAw gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD QTAeFw0yMDEwMTkwMDAwMDBaFw0yMTExMTkyMzU5NTlaMB4xHDAaBgNVBAMTE3d3 dy52b2RhZm9uZW1haWwuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDlRI2/4Ctq02gGw6gfmX6A6NZn768AghOawnPI0XTWX45J0+Wi+AVdY+Ptnmfg Gx8liOFsukceGUzUTjSHjolJ8wbqkg7ksBXUXn/JAE9hHdLi3VR5Vz7FuVotEmQK DOsl9sDCJo2xKlOM4X4iyM6yPR00KIqEdq9hvumS1yeSpkPhYSqeEujpEFVhW/6p WUT8ZXNtkCoSAdjJxTyptynT8FAb7osgNIIZL1FXlSyL3tQRBrFcGzbl7GNTeTGf zlyVjvIxp8UiLo4Fr7y0lS+i/32qw+yrURoJXirG6CkJDDTz8vkxoHSie64g/QoW 5PcQwxKNoQLMMVFVzl1+qPz1AgMBAAGjggTvMIIE6zAfBgNVHSMEGDAWgBSNjF7E VK2K4Xfpm/mbBeG4AY1h4TAdBgNVHQ4EFgQU3SQkfaoTlUaHdQG8YlDEJJ3LmkIw DgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUH AwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAgcwJTAjBggrBgEF BQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIBMIGEBggrBgEF BQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2Vj dGlnb1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwIwYIKwYB BQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMIIBAwYKKwYBBAHWeQIEAgSB 9ASB8QDvAHUAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF1QGws EQAABAMARjBEAiBVx0PrXrRxj6SIh9LGky6vmRkrbGkXukWEK6KsVpVZdwIgBLJ/ MURzXMyJDY1LvctAg+7MW24DTjEazHJ+OeL4KyIAdgCUILwejtWNbIhzH4KLIiwN 0dpNXmxPlD1h204vWE2iwgAAAXVAbCw7AAAEAwBHMEUCIQCseMcMcDnqcOAhxkZ4 nxusnNQkzxUm9Zlyre5NAoRxlwIgC76L67KAcv0ulaklKJJb4v/1TNjY0o85m9Ga NhcvOgQwggKRBgNVHREEggKIMIIChIITd3d3LnZvZGFmb25lbWFpbC5kZYIVYXV0 b2Rpc2NvdmVyLmFyY29yLmRlghlhdXRvZGlzY292ZXIua2FiZWxtYWlsLmRlghhh dXRvZGlzY292ZXIudm9kYWZvbmUuZGWCHGF1dG9kaXNjb3Zlci52b2RhZm9uZW1h aWwuZGWCDWltYXAuYXJjb3IuZGWCEWltYXAua2FiZWxtYWlsLmRlghBpbWFwLnZv ZGFmb25lLmRlghRpbWFwLnZvZGFmb25lbWFpbC5kZYIVbG9naW4udm9kYWZvbmVt YWlsLmRlgg1tYWlsLmFyY29yLmRlghBtYWlsLnZvZGFmb25lLmRlghNteDEudm9k YWZvbmVtYWlsLmRlghNteDIudm9kYWZvbmVtYWlsLmRlghNteDMudm9kYWZvbmVt YWlsLmRlghNteDQudm9kYWZvbmVtYWlsLmRlggxwb3AuYXJjb3IuZGWCD3BvcC52 b2RhZm9uZS5kZYITcG9wLnZvZGFmb25lbWFpbC5kZYINcG9wMy5hcmNvci5kZYIR cG9wMy5rYWJlbG1haWwuZGWCEHBvcDMudm9kYWZvbmUuZGWCFHBvcDMudm9kYWZv bmVtYWlsLmRlgg1zbXRwLmFyY29yLmRlghFzbXRwLmthYmVsbWFpbC5kZYIQc210 cC52b2RhZm9uZS5kZYIUc210cC52b2RhZm9uZW1haWwuZGWCEHNzby5rYWJlbG1h aWwuZGWCE3dlYmRhdi5rYWJlbG1haWwuZGWCFndlYmRhdi52b2RhZm9uZW1haWwu ZGWCFHdpa2kudm9kYWZvbmVtYWlsLmRlghB3d3cua2FiZWxtYWlsLmRlMA0GCSqG SIb3DQEBCwUAA4IBAQAaRpwtomQFeU/oS7Cg56NHLNTJ82t9TRQeqUrvkA9Pc2ci sVJmV6/t3I5R/LrmZ0Nn1AVfsoQKAo8om8MoKJMmpi5VgjAB57DnMMTGgdC2vfz5 LeR0AsB9TjOZC0MZLeBXRYRzgk1g3OIkVyhiNU1wh2KvYCMuoX9UVnMldodgZAuc 1EfqHZTZ/Phyun2xmPhaSebZcz1ReYaED8xOGQwxztkEXIm/JMnMfYEkJ1OmoHje xYTNn4nMeweTxwi/2eSf0b5zmXkp4gMnkcgAH5iZEgDb3FGOVo/PjShh2lEKLxqe wsT526yJ8ap+u2KmPmJe3Z6PiazpkgxNrAhdmMLU -----END CERTIFICATE----- --- Server certificate subject=CN = www.vodafonemail.de
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
--8<---------------cut here---------------end--------------->8---
The interesting thing is that both kmail and Firefox don't seem to have that problem and follow the chain to the trust anchor, but Emacs (via gnutls) and openssl (as shown above) fail to verify the start of the cert chain and error out. What's going on here?
Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
Factory and User Sound Singles for Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#WaldorfSounds
Mischa Salle writes:
But in any case, the server should send the intermediate Sectigo CA cert.
It does, just not for SMTP, so it indeed looks like a configuration problem. I can avoid the verification fault by importing the intermediate certificate, but I don't really want to do that. The cert in question needs to be renewed soon, so hopefully they'll fix that configuration problem whatever it is when they do that. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Factory and User Sound Singles for Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#WaldorfSounds
On Sun, Nov 7, 2021 at 7:52 AM Achim Gratz <Stromeko@nexgo.de> wrote:
Some time between three weeks ago and about a week ago (I was away for a few days inbetween) something changed (on both my Tumbleweed machines) something changed in the way certificates get checked for one of the mail servers I'm using:
Works for me.. is your trust store hosed ? # update-ca-certificates -fv to rebuild it.
Cristian Rodríguez writes:
Works for me.. is your trust store hosed ? # update-ca-certificates -fv to rebuild it.
No, I have confirmed the same problem from three different systems by now. It seems to affect just the SMTP server, the other services on that server actually deliver the correct chain of certificates (this is why I don't see the issue in Firefox since I did an HTTPS request there). Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Wavetables for the Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#BlofeldUserWavetables
On Sun, Nov 7, 2021 at 3:20 PM Achim Gratz <Stromeko@nexgo.de> wrote:
Cristian Rodríguez writes:
Works for me.. is your trust store hosed ? # update-ca-certificates -fv to rebuild it.
No, I have confirmed the same problem from three different systems by now.
I tried your example verbatim and the handshake was successful..did you configure anything differently than default ?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Content-ID: <fc1e425c-475a-c162-4b85-b7d97733646@minas-tirith.valinor> El 2021-11-07 a las 21:03 -0300, Cristian Rodríguez escribió:
On Sun, Nov 7, 2021 at 3:20 PM Achim Gratz <> wrote: Cristian Rodríguez writes: > Works for me.. is your trust store hosed ? > # update-ca-certificates -fv > to rebuild it.
No, I have confirmed the same problem from three different systems by now.
I tried your example verbatim and the handshake was successful..did you configure anything differently than default ?
On Leap 15.2: cer@minas-tirith:~> openssl s_client -showcerts -starttls smtp -connect smtp.vodafonemail.de:25 -name smtp.vodafonemail.de CONNECTED(00000003) depth=0 CN = www.vodafonemail.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = www.vodafonemail.de verify error:num=21:unable to verify the first certificate verify return:1 - --- Certificate chain 0 s:CN = www.vodafonemail.de i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA - -----BEGIN CERTIFICATE----- MIIIKjCCBxKgAwIBAgIRAMSaOQvw1EiEUuAukU6jRdkwDQYJKoZIhvcNAQELBQAw gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO ... 1EfqHZTZ/Phyun2xmPhaSebZcz1ReYaED8xOGQwxztkEXIm/JMnMfYEkJ1OmoHje xYTNn4nMeweTxwi/2eSf0b5zmXkp4gMnkcgAH5iZEgDb3FGOVo/PjShh2lEKLxqe wsT526yJ8ap+u2KmPmJe3Z6PiazpkgxNrAhdmMLU - -----END CERTIFICATE----- - --- Server certificate subject=CN = www.vodafonemail.de issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA - --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits - --- SSL handshake has read 2867 bytes and written 439 bytes Verification error: unable to verify the first certificate - --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) - --- 250 CHUNKING - --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: D64ACAD6A260EFFE3AECD7D24660BE303055E11E823748EAC00F8020A9A9E323 Session-ID-ctx: Resumption PSK: 5AEDD6DD4DA0284D390FF406653B0C8F5CFC4F12E938FFFC6CBD1AA4ABC58872185F66740CB6041A36CF2FE9FBE10A1E PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 5e e2 ea c8 ca a7 b5 42-10 6d 99 e8 4e d9 3a e6 ^......B.m..N.:. 0010 - 96 07 62 11 d8 e2 e0 7e-13 2a f4 23 04 c2 28 74 ..b....~.*.#..(t 0020 - 82 9c 55 2b 57 d7 70 03-c2 ed 54 31 86 ea 34 77 ..U+W.p...T1..4w 0030 - 22 d0 68 8d 14 a0 ef d6-4a 93 ad c5 3e d1 8b 29 ".h.....J...>..) 0040 - 89 74 53 bf 3e 4c e4 20-10 d1 dd d5 9c ff 03 a3 .tS.>L. ........ 0050 - ee f4 85 9f db 52 ff 7a-ef 4e 83 88 a4 e6 4b a0 .....R.z.N....K. 0060 - a7 05 68 68 71 31 0c 7c-99 25 f2 9c 13 dc 1e 47 ..hhq1.|.%.....G 0070 - 82 cc f3 1d a8 bd 1e 5e-d5 04 c6 76 06 fb 63 78 .......^...v..cx 0080 - 2c ab 8f 55 d2 73 06 6c-90 c4 6e 09 44 86 ff 6f ,..U.s.l..n.D..o 0090 - 98 fa c9 3c b3 9d 88 23-0d 2d 3c c4 94 6c ad 9d ...<...#.-<..l.. 00a0 - b5 c3 a8 3d c7 57 73 c1-54 7c 60 51 0a a6 68 ad ...=.Ws.T|`Q..h. 00b0 - a3 1b 2d 4b 11 ac 2e 5e-ed d8 74 32 42 30 98 cc ..-K...^..t2B0.. 00c0 - 3f 84 30 87 fd 6d b5 0c-d9 95 92 87 14 88 a8 9d ?.0..m.......... Start Time: 1636366480 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 - --- read R BLOCK read:errno=0 cer@minas-tirith:~> - -- Cheers Carlos E. R. (from openSUSE Leap 15.2 x86_64 (Minas Tirith)) -----BEGIN PGP SIGNATURE----- iJIEAREIADoWIQQt/vKEw5659AgM/X2NrxRtxRYzXAUCYYj6uhwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJEI2vFG3FFjNcGwUA/i1ntxovHRxFE19IR3l3 zSSQPJ/PX1NYBi4oq90vCWWGAP0c5NZ3Ir3iinWNCTOGxXQyI4ZjAKISDtILCG/R oyPHbg== =cFS8 -----END PGP SIGNATURE-----
Hi, It is clear from the output that the SMTP server is not returning the intermediate certificate chain, its a problem on the vodafonemail site. Ciao, Marcus On Mon, Nov 08, 2021 at 11:23:54AM +0100, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Content-ID: <fc1e425c-475a-c162-4b85-b7d97733646@minas-tirith.valinor>
El 2021-11-07 a las 21:03 -0300, Cristian Rodríguez escribió:
On Sun, Nov 7, 2021 at 3:20 PM Achim Gratz <> wrote: Cristian Rodríguez writes: > Works for me.. is your trust store hosed ? > # update-ca-certificates -fv > to rebuild it.
No, I have confirmed the same problem from three different systems by now.
I tried your example verbatim and the handshake was successful..did you configure anything differently than default ?
On Leap 15.2:
cer@minas-tirith:~> openssl s_client -showcerts -starttls smtp -connect smtp.vodafonemail.de:25 -name smtp.vodafonemail.de CONNECTED(00000003) depth=0 CN = www.vodafonemail.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = www.vodafonemail.de verify error:num=21:unable to verify the first certificate verify return:1 - --- Certificate chain 0 s:CN = www.vodafonemail.de i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA - -----BEGIN CERTIFICATE----- MIIIKjCCBxKgAwIBAgIRAMSaOQvw1EiEUuAukU6jRdkwDQYJKoZIhvcNAQELBQAw gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
...
1EfqHZTZ/Phyun2xmPhaSebZcz1ReYaED8xOGQwxztkEXIm/JMnMfYEkJ1OmoHje xYTNn4nMeweTxwi/2eSf0b5zmXkp4gMnkcgAH5iZEgDb3FGOVo/PjShh2lEKLxqe wsT526yJ8ap+u2KmPmJe3Z6PiazpkgxNrAhdmMLU - -----END CERTIFICATE----- - --- Server certificate subject=CN = www.vodafonemail.de
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
- --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits - --- SSL handshake has read 2867 bytes and written 439 bytes Verification error: unable to verify the first certificate - --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) - --- 250 CHUNKING - --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: D64ACAD6A260EFFE3AECD7D24660BE303055E11E823748EAC00F8020A9A9E323 Session-ID-ctx: Resumption PSK: 5AEDD6DD4DA0284D390FF406653B0C8F5CFC4F12E938FFFC6CBD1AA4ABC58872185F66740CB6041A36CF2FE9FBE10A1E PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 5e e2 ea c8 ca a7 b5 42-10 6d 99 e8 4e d9 3a e6 ^......B.m..N.:. 0010 - 96 07 62 11 d8 e2 e0 7e-13 2a f4 23 04 c2 28 74 ..b....~.*.#..(t 0020 - 82 9c 55 2b 57 d7 70 03-c2 ed 54 31 86 ea 34 77 ..U+W.p...T1..4w 0030 - 22 d0 68 8d 14 a0 ef d6-4a 93 ad c5 3e d1 8b 29 ".h.....J...>..) 0040 - 89 74 53 bf 3e 4c e4 20-10 d1 dd d5 9c ff 03 a3 .tS.>L. ........ 0050 - ee f4 85 9f db 52 ff 7a-ef 4e 83 88 a4 e6 4b a0 .....R.z.N....K. 0060 - a7 05 68 68 71 31 0c 7c-99 25 f2 9c 13 dc 1e 47 ..hhq1.|.%.....G 0070 - 82 cc f3 1d a8 bd 1e 5e-d5 04 c6 76 06 fb 63 78 .......^...v..cx 0080 - 2c ab 8f 55 d2 73 06 6c-90 c4 6e 09 44 86 ff 6f ,..U.s.l..n.D..o 0090 - 98 fa c9 3c b3 9d 88 23-0d 2d 3c c4 94 6c ad 9d ...<...#.-<..l.. 00a0 - b5 c3 a8 3d c7 57 73 c1-54 7c 60 51 0a a6 68 ad ...=.Ws.T|`Q..h. 00b0 - a3 1b 2d 4b 11 ac 2e 5e-ed d8 74 32 42 30 98 cc ..-K...^..t2B0.. 00c0 - 3f 84 30 87 fd 6d b5 0c-d9 95 92 87 14 88 a8 9d ?.0..m..........
Start Time: 1636366480 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 - --- read R BLOCK read:errno=0 cer@minas-tirith:~>
- -- Cheers Carlos E. R.
(from openSUSE Leap 15.2 x86_64 (Minas Tirith)) -----BEGIN PGP SIGNATURE-----
iJIEAREIADoWIQQt/vKEw5659AgM/X2NrxRtxRYzXAUCYYj6uhwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJEI2vFG3FFjNcGwUA/i1ntxovHRxFE19IR3l3 zSSQPJ/PX1NYBi4oq90vCWWGAP0c5NZ3Ir3iinWNCTOGxXQyI4ZjAKISDtILCG/R oyPHbg== =cFS8 -----END PGP SIGNATURE-----
participants (5)
-
Achim Gratz -
Carlos E. R. -
Cristian Rodríguez -
Marcus Meissner -
Mischa Salle