SSL_accept error from 213-225-38-118.nat.highway.a1.net[213.225.38.118]: -1 - Nachtrag

Andreas Wass - Glas Gasperlmair a.wass at glas-gasperlmair.at
Mo Okt 25 11:13:10 CEST 2021


Am 25.10.2021 um 10:09 schrieb Walter H.:
> kannst Dir das Zwischenzertifikat, welches Du mitschickst, mal ansehen?
openssl s_client -starttls smtp -connect mail1.glasgasperlmair.at:25

Bringt folgende Ausgabe:

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail1.glasgasperlmair.at
verify return:1
---
Certificate chain
  0 s:CN = mail1.glasgasperlmair.at
    i:C = US, O = Let's Encrypt, CN = R3
  1 s:C = US, O = Let's Encrypt, CN = R3
    i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
  2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
    i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
..................................... (hab ich rausgeschnitten, damit 
Nachricht nicht so lang ist)
-----END CERTIFICATE-----
subject=CN = mail1.glasgasperlmair.at

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Requested Signature Algorithms: 
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Shared Requested Signature Algorithms: 
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5593 bytes and written 808 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
     Protocol  : TLSv1.3
     Cipher    : TLS_AES_256_GCM_SHA384
     Session-ID: 
ACEDFFDE7C8E9CE76B54BF923D425B14650C5CA534FB20962DAF2BECB6F5FA3F
     Session-ID-ctx:
     Resumption PSK: 
64DDB3FA7E7CA53B1B9AC72F6F977843385E291FA6C3692CD9045212F99AE91BFA52A759665BDAF97536A993D6CF8C93
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     TLS session ticket lifetime hint: 7200 (seconds)
     TLS session ticket:
     0000 - e5 98 43 58 1a d4 17 9a-f6 61 a8 4b 0d b8 4f bb ..CX.....a.K..O.
     0010 - 8c a6 00 2e 96 e0 94 ad-a2 b8 20 e1 95 ba 31 2e .......... ...1.
     0020 - 74 fc 8c c4 1b b4 8d 8f-46 fb 64 53 fd ad 6e b0 t.......F.dS..n.
     0030 - 4f 8c 99 31 cd 9f 35 87-ea 51 3f af 99 35 55 f6 O..1..5..Q?..5U.
     0040 - bc 31 bd 3a c0 56 40 6c-3e 25 cb 51 cf e3 8e ea .1.:.V at l>%.Q....
     0050 - f6 04 b0 42 e9 b2 12 e8-1e 23 1c 33 73 82 06 7d ...B.....#.3s..}
     0060 - 96 8a 0e 7b 70 69 75 31-4b 20 16 60 66 45 38 67 ...{piu1K .`fE8g
     0070 - a3 79 64 0d 5f 62 0d 9d-81 bf 0c 88 9d f5 c4 1d .yd._b..........
     0080 - 96 66 35 d9 28 e9 cd b7-5f 00 1f d4 12 5b de f9 .f5.(..._....[..
     0090 - 61 1f 46 31 e4 d3 dd e4-1e 16 25 7a 03 cd af 85 a.F1......%z....
     00a0 - 20 4e af ee 4d 92 40 0a-10 aa 5b 8b df d8 4c 49 N..M. at ...[...LI
     00b0 - 13 e3 c4 88 6b e4 af 1e-eb d9 4c 69 b3 78 88 be ....k.....Li.x..
     00c0 - 51 74 b6 43 aa 3a e1 1b-89 a6 f8 09 65 16 33 0b Qt.C.:......e.3.

     Start Time: 1635152892
     Timeout   : 7200 (sec)
     Verify return code: 0 (ok)
     Extended master secret: no
     Max Early Data: 0
---
read R BLOCK
>
> On 25.10.2021 09:10, Andreas Wass - Glas Gasperlmair wrote:
>> Oct 25 08:59:14 mail postfix/submission/smtpd[33873]: warning: TLS 
>> library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 
>> alert certificate unknown:../ssl/record/rec_layer_s3.c:1543:SSL alert 
>> number 46: 
>
>



Mehr Informationen über die Mailingliste postfix-users