在我们的外发邮件服务器上,我们最近升级到了 Debian Squeeze(稳定版),但在 TLS 身份验证方面出现了一些奇怪的问题。我怀疑这可能是 OpenSSL 的问题,或者可能是我事后对 TLS 进行了修改,试图让一切恢复正常。但是,我仔细检查了 Exim 的配置,并查看了通过 TLS 进行身份验证的原始配置清单,但一些客户端仍然遇到问题。
我们遇到的具体问题是 Gnome Evolution、Mozilla Thunderbird 和 Eudora 拒绝使用 TLS 进行身份验证。Outlook 和 Outlook Express 似乎没有问题,这代表了连接到服务器的大部分客户端,但其他客户端正确使用 SSL。
例如,Thunderbird 会产生错误消息“连接到 :25 时发生错误。对等方的公钥无效。(错误代码:sec_error_bad_key)“当我尝试使用 STARTTLS 和加密密码进行连接时。就我而言,我找不到在 Exim 配置中使用公钥的参考,而 OpenSSL 也不再使用它们,而是将公钥作为私钥的一部分,并使用中间 CA 证书。
我做过的其他测试:
我可以使用 swaks 成功验证:
$ swaks -s smtp.lightspeed.ca -p 25 --ehlo office.lightspeed.ca -au
<myuser> -ap <mypass> -t <myaddress> -f <myaddress>
=== Trying smtp.lightspeed.ca:25...
=== Connected to smtp.lightspeed.ca.
<- 220 ns2.lightspeed.ca ESMTP Exim 4.72 Thu, 31 Mar 2011 08:52:20 -0700
-> EHLO office.lightspeed.ca
<- 250-ns2.lightspeed.ca Hello office.lightspeed.ca [65.110.29.154]
<- 250-SIZE 52428800
<- 250-PIPELINING
<- 250-AUTH PLAIN LOGIN
<- 250-STARTTLS
<- 250 HELP
-> AUTH LOGIN
<- 334 <encrypted>
-> <encrypted>
<- 334 <encrypted>
-> <encrypted>
<- 235 Authentication succeeded
-> MAIL FROM:<myaddress>
<- 250 OK
-> RCPT TO:<myaddress>
<- 250 Accepted
-> DATA
<- 354 Enter message, ending with "." on a line by itself
-> Date: Thu, 31 Mar 2011 08:52:15 -0699
-> To: <myaddress>
-> From: <myaddress>
-> Subject: test Thu, 31 Mar 2011 08:52:15 -0699
-> X-Mailer: swaks v20100211.0 jetmore.org/john/code/swaks/
->
-> This is a test mailing
->
-> .
<- 250 OK id=1Q5KAW-0005Ep-TX
-> QUIT
<- 221 ns2.lightspeed.ca closing connection
=== Connection closed with remote host.
如您所见,Exim 服务器提供 STARTTLS 以及 PLAIN 和 LOGIN 身份验证方法。身份验证成功。
如果我尝试 OpenSSL 方法,连接将失败:
$ openssl s_client -starttls smtp -crlf -connect smtp.lightspeed.ca:25
CONNECTED(00000003)
depth=0
/serialNumber=EGKZzrdW-EpuM5jI3QaVFSdRqKZSh4QW/C=CA/O=ns2.lightspeed.ca/OU=GT90526192/OU=See
www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated -
QuickSSL(R)/CN=ns2.lightspeed.ca
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
/serialNumber=EGKZzrdW-EpuM5jI3QaVFSdRqKZSh4QW/C=CA/O=ns2.lightspeed.ca/OU=GT90526192/OU=See
www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated -
QuickSSL(R)/CN=ns2.lightspeed.ca
verify error:num=27:certificate not trusted
verify return:1
depth=0
/serialNumber=EGKZzrdW-EpuM5jI3QaVFSdRqKZSh4QW/C=CA/O=ns2.lightspeed.ca/OU=GT90526192/OU=See
www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated -
QuickSSL(R)/CN=ns2.lightspeed.ca
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0
s:/serialNumber=EGKZzrdW-EpuM5jI3QaVFSdRqKZSh4QW/C=CA/O=ns2.lightspeed.ca/OU=GT90526192/OU=See
www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated -
QuickSSL(R)/CN=ns2.lightspeed.ca
i:/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
subject=/serialNumber=EGKZzrdW-EpuM5jI3QaVFSdRqKZSh4QW/C=CA/O=ns2.lightspeed.ca/OU=GT90526192/OU=See
www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated -
QuickSSL(R)/CN=ns2.lightspeed.ca
issuer=/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA
---
Acceptable client certificate CA names
/C=BR/O=ICP-Brasil/OU=Instituto Nacional de Tecnologia da Informacao -
ITI/L=Brasilia/ST=DF/CN=Autoridade Certificadora Raiz Brasileira
/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/[email protected]
/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/[email protected]
/C=DE/ST=Hessen/L=Fulda/O=Debconf/CN=Debconf CA/[email protected]
/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/[email protected]
/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/[email protected]
/C=US/ST=DC/L=Washington/O=ABA.ECOM, INC./CN=ABA.ECOM Root
CA/[email protected]
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root
/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Public CA Root
/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Qualified CA Root
/C=US/O=America Online Inc./CN=America Online Root Certification Authority 1
/C=US/O=America Online Inc./CN=America Online Root Certification Authority 2
/C=US/O=AOL Time Warner Inc./OU=America Online Inc./CN=AOL Time Warner
Root Certification Authority 1
/C=US/O=AOL Time Warner Inc./OU=America Online Inc./CN=AOL Time Warner
Root Certification Authority 2
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/O=beTRUSTed/OU=beTRUSTed Root CAs/CN=beTRUSTed Root CA-Baltimore
Implementation
/C=WW/O=beTRUSTed/CN=beTRUSTed Root CAs/CN=beTRUSTed Root CA
/O=beTRUSTed/OU=beTRUSTed Root CAs/CN=beTRUSTed Root CA - Entrust
Implementation
/O=beTRUSTed/OU=beTRUSTed Root CAs/CN=beTRUSTed Root CA - RSA Implementation
/C=EU/O=AC Camerfirma SA CIF
A82743287/OU=http://www.chambersign.org/CN=Chambers of Commerce Root
/C=EU/O=AC Camerfirma SA CIF
A82743287/OU=http://www.chambersign.org/CN=Global Chambersign Root
/C=FR/O=Certplus/CN=Class 2 Primary CA
/C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA
Certificate Services
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
Certification Authority
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=Secure
Certificate Services
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=Trusted
Certificate Services
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV
Root CA
/C=US/O=Digital Signature Trust Co./OU=DSTCA E1
/C=us/ST=Utah/L=Salt Lake City/O=Digital Signature Trust Co./OU=DSTCA
X1/CN=DST RootCA X1/[email protected]
/C=US/O=Digital Signature Trust Co./OU=DSTCA E2
/C=us/ST=Utah/L=Salt Lake City/O=Digital Signature Trust Co./OU=DSTCA
X2/CN=DST RootCA X2/[email protected]
/C=US/O=Digital Signature Trust/OU=DST ACES/CN=DST ACES CA X6
/O=Digital Signature Trust Co./CN=DST Root CA X3
/O=Entrust.net/OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits
liab.)/OU=(c) 2000 Entrust.net Limited/CN=Entrust.net Client Certification
Authority
/O=Entrust.net/OU=www.entrust.net/SSL_CPS incorp. by ref. (limits
liab.)/OU=(c) 2000 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority
/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification
Authority (2048)
/C=US/O=Entrust.net/OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref.
limits liab./OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Client
Certification Authority
/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority
/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by
reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification
Authority
/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
/C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1
/C=US/O=Equifax Secure/OU=Equifax Secure eBusiness CA-2
/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
/C=ES/L=C/ Muntaner 244 Barcelona/CN=Autoridad de Certificacion
Firmaprofesional CIF A62634068/[email protected]
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority
/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2
/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust Global Root
/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
/C=ES/ST=Barcelona/L=Barcelona/O=IPS Internet publishing Services
s.l./[email protected] C.I.F. B-60929452/OU=IPS CA Chained CAs
Certification Authority/CN=IPS CA Chained CAs Certification
Authority/[email protected]
/C=ES/ST=Barcelona/L=Barcelona/O=IPS Internet publishing Services
s.l./[email protected] C.I.F. B-60929452/OU=IPS CA CLASE1 Certification
Authority/CN=IPS CA CLASE1 Certification
Authority/[email protected]
/C=ES/ST=Barcelona/L=Barcelona/O=IPS Internet publishing Services
s.l./[email protected] C.I.F. B-60929452/OU=IPS CA CLASE3 Certification
Authority/CN=IPS CA CLASE3 Certification
Authority/[email protected]
/C=ES/ST=Barcelona/L=Barcelona/O=IPS Internet publishing Services
s.l./[email protected] C.I.F. B-60929452/OU=IPS CA CLASEA1 Certification
Authority/CN=IPS CA CLASEA1 Certification
Authority/[email protected]
/C=ES/ST=Barcelona/L=Barcelona/O=IPS Internet publishing Services
s.l./[email protected] C.I.F. B-60929452/OU=IPS CA CLASEA3 Certification
Authority/CN=IPS CA CLASEA3 Certification
Authority/[email protected]
/C=ES/ST=BARCELONA/L=BARCELONA/O=IPS Seguridad
CA/OU=Certificaciones/CN=IPS SERVIDORES/[email protected]
/C=ES/ST=Barcelona/L=Barcelona/O=IPS Internet publishing Services
s.l./[email protected] C.I.F. B-60929452/OU=IPS CA Timestamping
Certification Authority/CN=IPS CA Timestamping Certification
Authority/[email protected]
/C=HU/L=Budapest/O=NetLock Halozatbiztonsagi
Kft./OU=Tanusitvanykiadok/CN=NetLock Uzleti (Class B) Tanusitvanykiado
/C=HU/L=Budapest/O=NetLock Halozatbiztonsagi
Kft./OU=Tanusitvanykiadok/CN=NetLock Expressz (Class C) Tanusitvanykiado
/C=HU/ST=Hungary/L=Budapest/O=NetLock Halozatbiztonsagi
Kft./OU=Tanusitvanykiadok/CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado
/C=HU/L=Budapest/O=NetLock Halozatbiztonsagi
Kft./OU=Tanusitvanykiadok/CN=NetLock Minositett Kozjegyzoi (Class QA)
Tanusitvanykiado/[email protected]
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3
/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root
Certification Authority
/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 3 Policy
Validation
Authority/CN=http://www.valicert.com//[email protected]
/O=RSA Security Inc/OU=RSA Security 1024 V3
/O=RSA Security Inc/OU=RSA Security 2048 V3
/C=US/O=SecureTrust Corporation/CN=Secure Global CA
/C=US/O=SecureTrust Corporation/CN=SecureTrust CA
/C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
/C=FI/O=Sonera/CN=Sonera Class1 CA
/C=FI/O=Sonera/CN=Sonera Class2 CA
/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA
/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification
Authority
/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
Certification Authority
/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL
Certification Authority/[email protected]
/C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root CA 1
/C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2
/C=CH/O=SwissSign AG/CN=SwissSign Platinum CA - G2
/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2
/C=TW/O=Government Root Certification Authority
/C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data Networks
GmbH/OU=TC TrustCenter Class 2 CA/[email protected]
/C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data Networks
GmbH/OU=TC TrustCenter Class 3 CA/[email protected]
/C=DK/O=TDC Internet/OU=TDC Internet Root CA
/C=DK/O=TDC/CN=TDC OCES CA
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Basic
CA/[email protected]
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Freemail
CA/[email protected]
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Premium
CA/[email protected]
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
Services Division/CN=Thawte Premium Server
CA/[email protected]
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
Services Division/CN=Thawte Server CA/[email protected]
/C=ZA/ST=Western Cape/L=Durbanville/O=Thawte/OU=Thawte
Certification/CN=Thawte Timestamping CA
/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet
Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=ANKARA/O=(c) 2005
T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim
G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E.
/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet
Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=Ankara/O=T\xC3\x9CRKTRUST
Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi
Hizmetleri A.\xC5\x9E. (c) Kas\xC4\xB1m 2005
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Client Authentication
and Email
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Network Applications
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Object
/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 1 Policy
Validation
Authority/CN=http://www.valicert.com//[email protected]
/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy
Validation
Authority/CN=http://www.valicert.com//[email protected]
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign,
Inc. - For authorized use only/CN=VeriSign Class 1 Public Primary
Certification Authority - G3
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign,
Inc. - For authorized use only/CN=VeriSign Class 2 Public Primary
Certification Authority - G3
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign,
Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G3
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G5
/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign,
Inc. - For authorized use only/CN=VeriSign Class 4 Public Primary
Certification Authority - G3
/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)00/CN=VeriSign Time Stamping Authority CA
/C=US/O=VISA/OU=Visa International Service Association/CN=Visa eCommerce Root
/C=US/O=VISA/OU=Visa International Service Association/CN=GP Root 2
/C=US/O=Wells Fargo/OU=Wells Fargo Certification Authority/CN=Wells Fargo
Root Certificate Authority
/C=US/OU=www.xrampsecurity.com/O=XRamp Security Services Inc/CN=XRamp
Global Certification Authority
/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root
Certification Authority
/C=PL/O=TP Internet Sp. z o.o./OU=Centrum Certyfikacji Signet/CN=CC Signet
- CA Klasa 1
/C=PL/O=TP Internet Sp. z o.o./OU=Centrum Certyfikacji Signet/CN=CC Signet
- CA Klasa 2
/C=PL/O=TP Internet Sp. z o.o./CN=CC Signet - CA Klasa
3/serialNumber=Numer wpisu: 4
/C=PL/O=TP Internet Sp. z o.o./OU=Centrum Certyfikacji Signet/CN=CC Signet
- OCSP Klasa 2
/C=PL/O=TP Internet Sp. z o.o./OU=Centrum Certyfikacji Signet/CN=CC Signet
- OCSP Klasa 3
/C=PL/O=TP Internet Sp. z o.o./OU=Centrum Certyfikacji Signet/CN=CC Signet
- PCA Klasa 2
/C=PL/O=TP Internet Sp. z o.o./OU=Centrum Certyfikacji Signet/CN=CC Signet
- PCA Klasa 3
/C=PL/O=TP Internet Sp. z o.o./OU=Centrum Certyfikacji Signet/CN=CC Signet
- RootCA
/C=PL/O=TP Internet Sp. z o.o./OU=Centrum Certyfikacji Signet/CN=CC Signet
- TSA Klasa 1
/C=US/ST=Indiana/L=Indianapolis/O=Software in the Public
Interest/OU=hostmaster/CN=Certification
Authority/[email protected]
/C=US/ST=Indiana/L=Indianapolis/O=Software in the Public
Interest/OU=hostmaster/CN=Certificate
Authority/[email protected]
/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom
Root CA 2
---
SSL handshake has read 22345 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-DSS-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-DSS-AES256-SHA
Session-ID:
510F41918AD4A65D88A43BC6ED66651F98842EBBF7975295F6808342F9AE7067
Session-ID-ctx:
Master-Key:
53D1F9E30DC867D662BC2F859B79319294F67D7EB8753237A181DBE41C84B69EF00721F63BFC8938613EB7B694D8C53F
Key-Arg : None
Start Time: 1301593832
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
250 HELP
quit
221 ns2.lightspeed.ca closing connection
closed
答案1
使用 openssl s_client 命令的 -showcerts 选项。它会打印出整个服务器提供的证书链,而不仅仅是服务器证书(它还会显示中间证书)。对于您来说,错误只是表明您未能将必要的中间证书与服务器证书一起安装。正如前面的发帖人提到的,您必须连接服务器和中间证书 - 实际上,作为最佳实践,还要添加根证书,这样服务器就会显示整个证书链,而不仅仅是单独的叶证书。服务器证书不能单独存在,因为中间证书不是特别受信任的,而是只有根证书才受信任。您必须完全追溯到其中一个证书。一旦您正确链接了所有内容,openssl s_client 测试将指示“链中的自签名证书”或“已验证”,但不会指示“无法找到本地颁发者证书” - 至少如果您也绑定了根证书,这就是我所推荐的。
答案2
首先,您的openssl s_client连接没有失败,它表示已成功使用该DHE-DSS-AES256-SHA密码协商 TLSv1 加密。然后您告诉它退出。
OpenSSL做过抱怨你的证书。你的证书是由GeoTrust DV SSL CAOpenSSL 似乎不知道的机构签署的。要么有一个中间证书(这是由 CA 签署的“GeoTrust DV SSL CA”的证书,是在你的列表中)你需要附加到 exim 证书文件中证书的末尾或者您需要更新 openssl 的受信任 CA 列表(在 debian 中,这可以使用软件包完成ca-certificates)。请注意,Firefox 维护其自己的受信任证书颁发机构。
从 GeoTrust 获取中间证书并设置 exim 使用它可能比告诉所有客户更新其受信任的 CA 证书列表更好的解决方案。
编辑
来自的“可接受的客户端 CA 名称”消息openssl s_client表明 exim 正在询问你的客户证书,并且该证书需要来自其中一个 CA(“那些 CA”是 exim 中配置的 CA 列表tls_verify_certificates)。如果您不使用客户端证书来识别您的用户,请禁用tls_try_verify_*exim 中的任何设置并重试。
答案3
看起来您正在使用自签名证书。客户端软件通常不信任这些密钥。如果您可以安排将您的 CA 证书添加到客户端的信任链中,那么您应该不会有问题。否则,用户将需要在第一次使用时接受该证书。
通常,接受对话框将默认永久接受例外。Thunderbird 以这种方式工作,但似乎要求您接受一次 IMAP/POP 服务器和一次 SMTP 服务器,即使使用相同的证书也是如此。Eudora 和 Exchange 应该以相同的方式工作。
据我所知,大多数电子邮件服务器不会验证所提供的证书。如果它们会验证,则需要配置 ACL 以防止向这些服务器提供 StartTLS。
编辑:OpenSSL 受信任证书保存在一个目录中(/etc/ssl/certs在 Ubuntu 上)。证书通常根据签名机构命名。还有一个基于密钥哈希的符号链接,用于查找。您可以添加自己的受信任证书。
答案4
我发现我的大多数系统的 ca-certificates 包/捆绑包都没有捆绑 Thawte/Geotrust 的较新/较安全的根证书。他们有两个包含所有证书的网站:
https://www.thawte.com/roots/和https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1384