[openssl-users] alert number 46:

Simon Matthews simon.d.matthews at gmail.com
Sun Nov 12 15:47:25 UTC 2017 

On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijser <janjust at nikhef.nl> wrote:
> Hi,
>
> On 12/11/17 05:39, Simon Matthews wrote:
>>
>> I have generated a new certificate for my CentOS 6/postfix server, and
>> it seems to work with most clients, but when I try to send email using
>> tls from my Android device, it always fails.
>>
>> In my postfix log, I see:
>>
>> warning: TLS library problem: 13671:error:14094416:SSL
>> routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown:s3_pkt.c:1275:SSL alert number 46:
>>
>> I get the same message when using the same new certificate with
>> dovecot, so I don't think it is a postfix issue.
>>
>> To generate the certificate, I used the following commands:
>>
>> openssl genrsa -out MatthewsCA2017.key 2048
>> openssl genrsa -des3 -out MatthewsCA2017.key 2048
>> openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days
>> 3000 -out MatthewsCA2017.pem
>> openssl genrsa -out smtp.matthews-family.org.uk.key 2048
>> openssl req -new -key smtp.matthews-family.org.uk.key -out
>> smtp.matthews-family.org.uk.csr
>> openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA
>> MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out
>> smtp.matthews-family.org.uk.crt -days 3000 -sha256
>>
>> Any ideas on what might be wrong?
>>
>
> you seem to have generated your own (new) CA and server certificate; is this
> CA (public) cert installed in postfix correctly. More importantly, is this
> new CA distributed to all devices?
> An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN

In my Android device, I am using the option "TLS (Accept all
certificates)" which was working with my prior certificate. I built a
new CA and certificate because Microsoft/Hotmail would not send email
to my server because of the use of MD5 in the certificate chain.

In the postfix main.cf, I have:
smtpd_tls_CAfile =  /etc/ssl/MatthewsCA2017.pem

The file exists:
# ls /etc/ssl/MatthewsCA2017.pem
/etc/ssl/MatthewsCA2017.pem

This is CentOS 6 VM.

Is there anything else I should do to install the certificates? I
notice that the dovecot configuration doesn't explicitly define the CA
certificate location, so perhaps I have missed something?

Simon

More information about the openssl-users mailing list