[openssl-users] sendmail, openssl 1.1.1, tls1.3
carl at five-ten-sg.com
Mon Oct 15 23:49:39 UTC 2018
-----BEGIN PGP SIGNED MESSAGE-----
> Perhaps Sendmail is setting the CA names the client side, and then
> OpenSSL is trying to serialize the names of all your CAs to the
> server. This is a bad idea. Don't do that. Try using CApath, and
> no or an explicitly empty CAfile, and see if that helps.
Do you mean CACertFile and CACertPath? Redhat/Centos stock
pointing the CACertFile to 750KB file with 149 certificates. That just
seems wrong, but perhaps there is some reason for it. If CACertFile is
not specified, sendmail won't advertise STARTTLS. So we need to give it
something there, and the docs imply that it should at least contain the
certificate of the CA that signed the sendmail certificate. I have a
private CA that signed my sendmail certificate, so using:
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
on both the client and server sendmail machines, we get TLSv1.3 !
Perhaps some certificate in the stock ca-bundle.crt is malformed?
> No something else. A pointer to source code of the Sendmail in
> question may be helpful.
> Do you see any calls to SSL_CTX_set0_CA_list()?
No, but there is a call to SSL_CTX_set_client_CA_list(*ctx,
SSL_load_client_CA_file(cacertfile)) which would read that ca-bundle.crt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the openssl-users