Hi Linda, I was mostly wondering what mailserver program and openssl version you use. I am now assuming sendmail and whatever we released as openssl online updates for 13.1/13.2. The problem described is real, and related to the SSL PADDING extensions that was introduced in 1.0.1g. :( Ciao, Marcus On Wed, Mar 25, 2015 at 03:17:13PM -0700, Linda Walsh wrote:
Marcus Meissner wrote:
Which distribution? -- I can answer that with 13.1+13.2, and you might say such a mix is unsupported, however, I would equally ask, which, of the many updates, of the various packages is one using?
I encountered this after upgrading my openssl package from 13.1->13.2, but I have yet to update my sendmail package, since that is more of a pain.
I *didn't* have my "ca" list updated, but in looking for causes for this, I updated my "ca" packages to 13.2. Then I ran into weird permission problems trying to regenerate the .db files -- but got weird problems there -- some of the files in that dir had the execute bit set, and the "makemap" program wouldn't run or change such files, Example: /etc/mail/auth/auto-info had permissions 700 (owned by root). The makemap prog said an executable was not allowed.
But file said:
/etc/mail/auth/auth-info: ASCII text
It really was complaining about the 'x' bit being set for 'root' -- even though makemap's handling of the file is only as a 'text file'. The 'x' bit should make no difference, but it refused to run.
That sendmail version: sendmail-8.14.7-92.2.1.x86_64 (included in 13.1).
When I updated my ca-certs packages: 1:ca-certificates-1_201403302107-8.################################# [ 50%] p11-kit: imapd-192.168.3.1.pem: BEGIN ...: unsupported pem block in store p11-kit: imapd-mail.sc.tlinx.org.pem: invalid field line: no colon p11-kit: imapd.pem: BEGIN ...: unsupported pem block in store p11-kit: imapds-192.168.3.1.pem: BEGIN ...: unsupported pem block in store p11-kit: imapds-ishtar.sc.tlinx.org.pem: BEGIN ...: unsupported pem block in store p11-kit: imapds-mail.sc.tlinx.org.pem: BEGIN ...: unsupported pem block in store p11-kit: imapds.pem: BEGIN ...: unsupported pem block in store --repeated 2-3 times--- then... /etc/ssl/certs/A-Trust-nQual-03.pem in the way *) /etc/ssl/certs/AC_Ra_xC3_xADz_Certic_xC3_xA1mara_S.A..pem in the way *) /etc/ssl/certs/ACCVRAIZ1.pem in the way *) ... /etc/ssl/certs/XRamp_Global_CA_Root.pem in the way *) /etc/ssl/certs/YaST-CA.pem in the way *) /etc/ssl/certs/A-Trust-nQual-03.pem is in the wrong location *) /etc/ssl/certs/AC_Ra_xC3_xADz_Certic_xC3_xA1mara_S.A..pem is in the wrong locati on *) /etc/ssl/certs/ACCVRAIZ1.pem is in the wrong location *) ... /etc/ssl/certs/YaST-CA.pem is in the wrong location *) 0 added, 0 removed. * = CA Certificates in /etc/ssl/certs are only seen by some legacy applications. To install CA-Certificates globally move them to /etc/pki/trust/anchors instead! p11-kit: imapd-192.168.3.1.pem: BEGIN ...: unsupported pem block in store p11-kit: imapd-mail.sc.tlinx.org.pem: invalid field line: no colon p11-kit: imapd.pem: BEGIN ...: unsupported pem block in store p11-kit: imapds-192.168.3.1.pem: BEGIN ...: unsupported pem block in store ..several more.. -- Thought the installation had failed, but thenL: Ishtar:/var/lib/ca-certificates# rpm --replacefiles -Uhv /suse132/ca-certificates-1_201403302107-8.1.2.noarch.rpm Preparing... ################################# [100%] package ca-certificates-1_201403302107-8.1.2.noarch is already installed
---- So I guess they are installed... but it sure didn't encouraging.
Will have to try another email... but I've never 'knowingly' tried to use TLS or SSL on my outgoing mail -- imap access, yes, but outgoing sendmail?... weird.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org