smtp.comcast.net self-signed certs
Jeff Mitchell
jeff at emailgoeshere.com
Fri Jan 16 05:09:11 UTC 2009
I've been seeing some odd behavior today with some of the servers that
respond to smtp.comcast.net on port 587. Some, but not all, of the
servers are presenting self-signed certs, causing my own server to balk
at making a connection. (The Organization is RTFM, Inc. -- it'd be funny
if mail wasn't queueing up on my end). Sometimes I get a server with a
legit cert, so I can slowly drain my queue by flushing it over and over
and over...
openssl s_client output below. I can send a libpcap trace on request.
--Jeff
┌─(root at bookcase)(04:48:06)
└─(~)-> openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -connect
smtp.comcast.net:587
CONNECTED(00000003)
depth=1 /C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/O=RTFM, Inc./OU=Widgets Division/CN=localhost
i:/C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
1 s:/C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
i:/C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICGDCCAYECAgEBMA0GCSqGSIb3DQEBBAUAMFcxCzAJBgNVBAYTAlVTMRMwEQYD
VQQKEwpSVEZNLCBJbmMuMRkwFwYDVQQLExBXaWRnZXRzIERpdmlzaW9uMRgwFgYD
VQQDEw9UZXN0IENBMjAwMTA1MTcwHhcNMDEwNTE3MTYxMDU5WhcNMDQwMzA2MTYx
MDU5WjBRMQswCQYDVQQGEwJVUzETMBEGA1UEChMKUlRGTSwgSW5jLjEZMBcGA1UE
CxMQV2lkZ2V0cyBEaXZpc2lvbjESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCiWhMjNOPlPLNW4DJFBiL2fFEIkHuRor0pKw25
J0ZYHW93lHQ4yxA6afQr99ayRjMY0D26pH41f0qjDgO4OXskBsaYOFzapSZtQMbT
97OCZ7aHtK8z0ZGNW/cslu+1oOLomgRxJomIFgW1RyUUkQP1n0hemtUdCLOLlO7Q
CPqZLQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAIumUwl1OoWuyN2xfoBHYAs+lRLY
KmFLoI5+iMcGxWIsksmA+b0FLRAN43wmhPnums8eXgYbDCrKLv2xWcvKDP3mps7m
AMivwtu/eFpYz6J8Mo1fsV4Ys08A/uPXkT23jyKo2hMu8mywkqXCXYF2e+7pEeBr
dsbmkWK5NgoMl8eM
-----END CERTIFICATE-----
subject=/C=US/O=RTFM, Inc./OU=Widgets Division/CN=localhost
issuer=/C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
---
No client certificate CA names sent
---
SSL handshake has read 1965 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 8B976D67A76BBFEF5E46CA9D079C1C1208D037B8F5825049C45B57C05786A891
Session-ID-ctx:
Master-Key:
4DC43D803056BF32082F3E35B2818539E33B7321455AD625D3AD124BAD719C12C5903C9F1889EAB7A5F313B9A54D74A6
Key-Arg : None
Start Time: 1232081287
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250 OK
More information about the NANOG
mailing list