smtp.comcast.net self-signed certs

Jeff Mitchell jeff at emailgoeshere.com
Thu Jan 15 23:09:11 CST 2009


I've been seeing some odd behavior today with some of the servers that 
respond to smtp.comcast.net on port 587. Some, but not all, of the 
servers are presenting self-signed certs, causing my own server to balk 
at making a connection. (The Organization is RTFM, Inc. -- it'd be funny 
if mail wasn't queueing up on my end). Sometimes I get a server with a 
legit cert, so I can slowly drain my queue by flushing it over and over 
and over...

openssl s_client output below. I can send a libpcap trace on request.

--Jeff

┌─(root at bookcase)(04:48:06)
└─(~)-> openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -connect 
smtp.comcast.net:587
CONNECTED(00000003)
depth=1 /C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/O=RTFM, Inc./OU=Widgets Division/CN=localhost
i:/C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
1 s:/C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
i:/C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICGDCCAYECAgEBMA0GCSqGSIb3DQEBBAUAMFcxCzAJBgNVBAYTAlVTMRMwEQYD
VQQKEwpSVEZNLCBJbmMuMRkwFwYDVQQLExBXaWRnZXRzIERpdmlzaW9uMRgwFgYD
VQQDEw9UZXN0IENBMjAwMTA1MTcwHhcNMDEwNTE3MTYxMDU5WhcNMDQwMzA2MTYx
MDU5WjBRMQswCQYDVQQGEwJVUzETMBEGA1UEChMKUlRGTSwgSW5jLjEZMBcGA1UE
CxMQV2lkZ2V0cyBEaXZpc2lvbjESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCiWhMjNOPlPLNW4DJFBiL2fFEIkHuRor0pKw25
J0ZYHW93lHQ4yxA6afQr99ayRjMY0D26pH41f0qjDgO4OXskBsaYOFzapSZtQMbT
97OCZ7aHtK8z0ZGNW/cslu+1oOLomgRxJomIFgW1RyUUkQP1n0hemtUdCLOLlO7Q
CPqZLQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAIumUwl1OoWuyN2xfoBHYAs+lRLY
KmFLoI5+iMcGxWIsksmA+b0FLRAN43wmhPnums8eXgYbDCrKLv2xWcvKDP3mps7m
AMivwtu/eFpYz6J8Mo1fsV4Ys08A/uPXkT23jyKo2hMu8mywkqXCXYF2e+7pEeBr
dsbmkWK5NgoMl8eM
-----END CERTIFICATE-----
subject=/C=US/O=RTFM, Inc./OU=Widgets Division/CN=localhost
issuer=/C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
---
No client certificate CA names sent
---
SSL handshake has read 1965 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 8B976D67A76BBFEF5E46CA9D079C1C1208D037B8F5825049C45B57C05786A891
Session-ID-ctx:
Master-Key: 
4DC43D803056BF32082F3E35B2818539E33B7321455AD625D3AD124BAD719C12C5903C9F1889EAB7A5F313B9A54D74A6
Key-Arg : None
Start Time: 1232081287
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250 OK




More information about the NANOG mailing list