[openssl-users] alert number 46:

Jan Just Keijser janjust at nikhef.nl
Sun Nov 12 12:55:10 UTC 2017


On 12/11/17 05:39, Simon Matthews wrote:
> I have generated a new certificate for my CentOS 6/postfix server, and
> it seems to work with most clients, but when I try to send email using
> tls from my Android device, it always fails.
> In my postfix log, I see:
> warning: TLS library problem: 13671:error:14094416:SSL
> routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown:s3_pkt.c:1275:SSL alert number 46:
> I get the same message when using the same new certificate with
> dovecot, so I don't think it is a postfix issue.
> To generate the certificate, I used the following commands:
> openssl genrsa -out MatthewsCA2017.key 2048
> openssl genrsa -des3 -out MatthewsCA2017.key 2048
> openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days
> 3000 -out MatthewsCA2017.pem
> openssl genrsa -out smtp.matthews-family.org.uk.key 2048
> openssl req -new -key smtp.matthews-family.org.uk.key -out
> smtp.matthews-family.org.uk.csr
> openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA
> MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out
> smtp.matthews-family.org.uk.crt -days 3000 -sha256
> Any ideas on what might be wrong?

you seem to have generated your own (new) CA and server certificate; is 
this CA (public) cert installed in postfix correctly. More importantly, 
is this new CA distributed to all devices?
An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN



More information about the openssl-users mailing list