[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gnutls error



At Mon, 08 Oct 2012 13:39:48 +0900,
Kazuhiro Ito wrote:
> Because --starttls option makes gnutls-cli to establish a plain
> session, errors related certificate never occur at this step.  If you
> want to dig what happens, you need to start TLS explicitly.
> 
> 1. After the plain session is established, send `STARTTLS' commands to
> your SMTP server.
> 
> STARTTLS
> 
> 2. Send SIGALRM to gnutls-cli
> 
> $ kill -ALRM (process id of gnults-cli)

Thanks for your answer.

It does seem to succeed:

------------------------8<------------------------

$ gnutls-cli --verbose --port 465 --insecure  --starttls --x509cafile /etc/ssl/certs/ca-certificates.crt smtp.rabbitmq.com
Processed 152 CA certificate(s).
Resolving 'smtp.rabbitmq.com'...
Connecting to '208.91.1.34:465'...
|<1>| Note that the security level of the Diffie-Hellman key exchange has been lowered to 512 bits and this may allow decryption of the session data

- Simple Client Mode:

- Received[67]: 220 smtp.rabbitmq.com ESMTP Postfix (Breeding Rabbits since 2006)

STARTTLS
- Sent: 9 bytes
- Received[30]: 220 2.0.0 Ready to start TLS
*** Starting TLS handshake
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- The hostname in the certificate matches 'smtp.rabbitmq.com'.
*** Verifying server certificate failed...
- Server's trusted authorities:
   [0]: OU=RabbitMQ CA,O=RabbitMQ,ST=London,L=London,C=GB,EMAIL=info@rabbitmq.com,CN=RabbitMQ CA
- Successfully sent 0 certificate(s) to server.
- Session ID: 03:E7:BA:35:8A:7F:4B:B6:10:09:94:25:33:5A:8C:AA:6E:34:D8:AE:DA:3F:E0:1E:C3:35:31:F7:3E:B4:F8:92
- Server has requested a certificate.
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 03
	Issuer: OU=RabbitMQ CA,O=RabbitMQ,ST=London,L=London,C=GB,EMAIL=info@rabbitmq.com,CN=RabbitMQ CA
	Validity:
		Not Before: Sat May 15 23:55:19 UTC 2010
		Not After: Tue May 12 23:55:19 UTC 2020
	Subject: CN=smtp.rabbitmq.com,ST=London,C=GB,EMAIL=info@rabbitmq.com,O=RabbitMQ
	Subject Public Key Algorithm: RSA
	Certificate Security Level: Legacy (2048 bits)
		Modulus (bits 2048):
			00:d5:f2:3a:b9:02:26:4a:5d:b6:3e:35:98:c6:7f:f3
			30:d8:53:90:e7:c6:1a:e4:a3:d7:05:bf:f5:9a:3a:8a
			be:68:25:77:07:58:1a:72:78:b7:fc:73:1a:98:42:e3
			6b:6d:87:8d:ae:f2:f7:52:c2:a0:d2:d3:fb:60:a2:ea
			93:b1:ec:a5:09:b1:e9:70:1f:84:a7:cd:8d:b2:ca:f5
			10:0d:40:f6:e3:4f:18:ea:b3:3e:a6:d2:92:94:90:3f
			12:8c:16:30:fe:4e:0d:52:9f:d3:8f:fc:72:b9:d8:e8
			48:6b:7e:3a:4c:5e:87:b8:04:b4:33:07:0b:b5:d1:92
			b6:fe:56:22:12:6a:b6:f4:3b:9c:bb:7b:ab:b5:24:41
			01:62:d5:2e:dc:3a:ed:b6:ef:be:9a:ce:3c:34:97:3f
			0e:a7:d1:93:22:56:b1:09:90:d8:2f:f3:f7:b9:a9:c0
			7c:91:dd:ec:49:2e:a0:aa:db:a4:b6:30:63:ae:f4:1f
			77:e2:c4:30:20:ee:33:52:d3:66:05:d5:cd:c1:a0:98
			63:42:fe:ee:0e:32:ac:5b:3f:14:2b:82:ad:20:ae:ea
			a8:cd:35:5d:c5:f7:db:ea:f6:ac:17:db:01:fe:fe:b1
			d3:b2:b7:11:ed:ed:79:ef:d5:1d:6f:10:88:f6:be:71
			3d
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (not critical):
			Certificate Authority (CA): FALSE
		Key Usage (not critical):
			Digital signature.
			Key encipherment.
		Key Purpose (not critical):
			TLS WWW Client.
			TLS WWW Server.
	Signature Algorithm: RSA-SHA1
	Signature:
		84:7c:1b:f0:0a:b5:5f:19:38:ed:f5:fa:45:1d:3c:7f
		4b:9c:eb:47:1a:ef:6b:8d:4a:9b:a0:e1:ac:d7:27:84
		bd:d3:17:a5:cf:9c:6b:b7:3c:d5:90:0b:f8:18:32:59
		21:c8:d9:23:dc:05:bf:aa:98:0d:77:25:54:99:22:72
		db:57:27:8c:e2:03:dd:e1:93:0f:9d:2d:c2:11:2b:5c
		ef:8a:a1:e1:a5:bd:92:90:30:cd:3c:5d:70:41:bb:ee
		14:f1:60:c8:ce:06:c2:e6:d2:77:92:c2:24:c4:f6:74
		d2:cd:c8:4f:22:66:d5:55:bc:33:76:1c:40:7c:dd:40
		c4:7a:a5:9f:97:61:69:77:47:b1:8f:03:95:57:90:ce
		8d:fd:9b:8d:5c:32:2b:e1:76:5e:ca:57:4e:c7:5c:4e
		f1:c7:c9:e3:0e:db:e6:52:87:f6:a9:e0:78:28:4d:65
		7b:d7:d4:42:a0:52:6d:92:a3:0b:90:bd:61:36:ac:a4
		da:2c:e3:b1:98:39:1d:75:56:55:14:e8:d3:32:94:d4
		2d:e8:e5:28:60:57:63:e3:09:70:66:1b:71:ac:99:60
		6d:6b:d0:b4:62:27:4e:49:ed:d1:d9:b7:5c:ab:43:96
		bd:60:ac:dd:c5:96:dd:eb:e7:6c:9d:b5:f1:e1:86:db
Other Information:
	SHA-1 fingerprint:
		b2fe96adc14e412fc2889be90fbe1e8e281745b3
	Public Key Id:
		5aa983b7e5f2253ad142a08ed1fd0e50fa9ef1d7
	Public key's random art:
		+--[ RSA 2048]----+
		|                 |
		|    o            |
		| . = .           |
		|. = . .  .       |
		| + o o .S        |
		|. . +.++.        |
		|   ..*=oo..      |
		|    o.=*.oE      |
		|      o=o        |
		+-----------------+


-----BEGIN CERTIFICATE-----
MIIDtDCCApygAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBkDEUMBIGA1UECxMLUmFi
Yml0TVEgQ0ExETAPBgNVBAoTCFJhYmJpdE1RMQ8wDQYDVQQIEwZMb25kb24xDzAN
BgNVBAcTBkxvbmRvbjELMAkGA1UEBhMCR0IxIDAeBgkqhkiG9w0BCQEWEWluZm9A
cmFiYml0bXEuY29tMRQwEgYDVQQDEwtSYWJiaXRNUSBDQTAeFw0xMDA1MTUyMzU1
MTlaFw0yMDA1MTIyMzU1MTlaMG8xGjAYBgNVBAMTEXNtdHAucmFiYml0bXEuY29t
MQ8wDQYDVQQIEwZMb25kb24xCzAJBgNVBAYTAkdCMSAwHgYJKoZIhvcNAQkBFhFp
bmZvQHJhYmJpdG1xLmNvbTERMA8GA1UEChMIUmFiYml0TVEwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDV8jq5AiZKXbY+NZjGf/Mw2FOQ58Ya5KPXBb/1
mjqKvmgldwdYGnJ4t/xzGphC42tth42u8vdSwqDS0/tgouqTseylCbHpcB+Ep82N
ssr1EA1A9uNPGOqzPqbSkpSQPxKMFjD+Tg1Sn9OP/HK52OhIa346TF6HuAS0MwcL
tdGStv5WIhJqtvQ7nLt7q7UkQQFi1S7cOu22776azjw0lz8Op9GTIlaxCZDYL/P3
uanAfJHd7EkuoKrbpLYwY670H3fixDAg7jNS02YF1c3BoJhjQv7uDjKsWz8UK4Kt
IK7qqM01XcX32+r2rBfbAf7+sdOytxHt7Xnv1R1vEIj2vnE9AgMBAAGjOTA3MAkG
A1UdEwQCMAAwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
BQcDATANBgkqhkiG9w0BAQUFAAOCAQEAhHwb8Aq1Xxk47fX6RR08f0uc60ca72uN
Spug4azXJ4S90xelz5xrtzzVkAv4GDJZIcjZI9wFv6qYDXclVJkicttXJ4ziA93h
kw+dLcIRK1zviqHhpb2SkDDNPF1wQbvuFPFgyM4GwubSd5LCJMT2dNLNyE8iZtVV
vDN2HEB83UDEeqWfl2Fpd0exjwOVV5DOjf2bjVwyK+F2XspXTsdcTvHHyeMO2+ZS
h/ap4HgoTWV719RCoFJtkqMLkL1hNqyk2izjsZg5HXVWVRTo0zKU1C3o5ShgV2Pj
CXBmG3GsmWBta9C0YidOSe3R2bdcq0OWvWCs3cWW3evnbJ218eGG2w==
-----END CERTIFICATE-----

- Certificate[1] info:
 - X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 009a6800aef707e678
	Issuer: OU=RabbitMQ CA,O=RabbitMQ,ST=London,L=London,C=GB,EMAIL=info@rabbitmq.com,CN=RabbitMQ CA
	Validity:
		Not Before: Sat May 15 23:43:48 UTC 2010
		Not After: Wed Feb 12 23:43:48 UTC 2020
	Subject: OU=RabbitMQ CA,O=RabbitMQ,ST=London,L=London,C=GB,EMAIL=info@rabbitmq.com,CN=RabbitMQ CA
	Subject Public Key Algorithm: RSA
	Certificate Security Level: Legacy (2048 bits)
		Modulus (bits 2048):
			00:bc:47:11:5b:3f:c3:5b:5a:88:4b:cb:77:06:24:ff
			39:16:94:24:10:96:3a:c7:6a:28:63:24:57:7d:47:2b
			05:c9:ed:ec:a4:f6:44:34:10:a7:d5:e4:59:53:b0:10
			0c:07:98:ea:a9:01:c0:fd:4a:48:e9:a0:f0:58:ec:c2
			49:34:b9:7e:3b:7d:b9:14:6b:8f:ec:87:5a:72:93:9f
			ea:0c:29:14:2f:38:10:f2:6b:5a:76:73:d4:d2:9f:02
			03:54:67:44:1b:73:57:96:26:1f:6f:d7:65:c2:62:4e
			e8:86:18:7c:ef:01:f1:6d:b5:70:46:3f:4d:10:15:ce
			f6:27:c9:a8:ab:57:e2:84:51:3d:9d:68:30:55:e8:b5
			8e:36:a7:ca:64:e4:de:b3:80:47:f6:0b:4f:ed:6d:a2
			5b:a9:c0:3a:0e:54:d0:b4:15:ee:6b:1b:73:0f:28:f0
			c8:34:20:57:ea:6e:69:0c:a4:55:ad:ad:28:42:d4:9e
			1b:8a:02:90:af:0d:c3:cf:db:b7:07:bf:46:3c:65:69
			d6:b6:2d:a2:ea:cb:6c:4c:73:f3:46:c3:ca:ae:1e:3c
			5c:9d:fb:03:65:16:a2:02:8b:47:55:7e:ce:68:24:74
			e2:25:03:5b:ba:01:ac:f7:ed:84:2b:f6:00:75:ca:2d
			ff
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (not critical):
			Certificate Authority (CA): TRUE
		Key Usage (not critical):
			Certificate signing.
			CRL signing.
	Signature Algorithm: RSA-SHA1
	Signature:
		a7:09:87:79:16:60:bc:52:49:12:54:cb:f9:ca:05:23
		49:c6:3f:9b:29:17:b1:5a:35:90:8b:85:0c:6f:ab:9a
		5a:19:6b:a5:0c:3e:0c:49:f5:ba:bc:21:b9:c2:91:e1
		66:ab:88:e1:fa:aa:90:5f:38:b2:07:20:7b:e1:4b:bb
		3e:55:d1:64:b9:db:7f:db:ad:c6:f3:49:33:b8:b1:17
		50:e1:3c:1b:1b:92:27:d6:90:db:88:16:c7:a1:a4:aa
		6a:0d:93:33:2e:0b:b3:61:7c:32:3f:48:54:fc:81:9f
		b4:54:a6:16:9b:cb:b7:ea:c8:5d:73:17:12:9a:e7:a7
		d4:dc:23:b8:58:83:51:9e:0d:c8:89:85:4c:f1:53:a3
		af:b4:16:9d:1e:e7:e6:aa:5a:2e:ac:ac:1b:31:80:d4
		ea:49:8d:10:93:f7:47:62:be:e6:19:d9:68:f5:68:53
		13:56:6c:e0:34:8a:2d:97:26:37:7a:5b:4d:c8:9f:85
		f0:9a:0c:1f:07:e9:98:6d:75:ed:82:93:1a:ce:6e:17
		7a:d0:e9:16:fc:f8:7b:ec:94:2e:67:a0:4e:38:78:f3
		91:30:f8:1d:f5:f4:0f:d5:b7:5d:cc:38:30:86:95:24
		dc:2d:a1:1d:e1:c5:e3:7a:28:98:e6:3e:6b:b1:31:ac
Other Information:
	SHA-1 fingerprint:
		a014aac2a8eb4ea50434bbba7cd2668dacfba43a
	Public Key Id:
		fd7ad559768afc57a95f259ac42bd160078731df
	Public key's random art:
		+--[ RSA 2048]----+
		|          +o.    |
		|          .= .   |
		|          o o E  |
		|         o =    +|
		|        S o.+..+*|
		|           +o+o++|
		|          . =o. o|
		|           o... o|
		|          ..  .o |
		+-----------------+


-----BEGIN CERTIFICATE-----
MIIDwjCCAqqgAwIBAgIJAJpoAK73B+Z4MA0GCSqGSIb3DQEBBQUAMIGQMRQwEgYD
VQQLEwtSYWJiaXRNUSBDQTERMA8GA1UEChMIUmFiYml0TVExDzANBgNVBAgTBkxv
bmRvbjEPMA0GA1UEBxMGTG9uZG9uMQswCQYDVQQGEwJHQjEgMB4GCSqGSIb3DQEJ
ARYRaW5mb0ByYWJiaXRtcS5jb20xFDASBgNVBAMTC1JhYmJpdE1RIENBMB4XDTEw
MDUxNTIzNDM0OFoXDTIwMDIxMjIzNDM0OFowgZAxFDASBgNVBAsTC1JhYmJpdE1R
IENBMREwDwYDVQQKEwhSYWJiaXRNUTEPMA0GA1UECBMGTG9uZG9uMQ8wDQYDVQQH
EwZMb25kb24xCzAJBgNVBAYTAkdCMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHJhYmJp
dG1xLmNvbTEUMBIGA1UEAxMLUmFiYml0TVEgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC8RxFbP8NbWohLy3cGJP85FpQkEJY6x2ooYyRXfUcrBcnt
7KT2RDQQp9XkWVOwEAwHmOqpAcD9SkjpoPBY7MJJNLl+O325FGuP7IdacpOf6gwp
FC84EPJrWnZz1NKfAgNUZ0Qbc1eWJh9v12XCYk7ohhh87wHxbbVwRj9NEBXO9ifJ
qKtX4oRRPZ1oMFXotY42p8pk5N6zgEf2C0/tbaJbqcA6DlTQtBXuaxtzDyjwyDQg
V+puaQykVa2tKELUnhuKApCvDcPP27cHv0Y8ZWnWti2i6stsTHPzRsPKrh48XJ37
A2UWogKLR1V+zmgkdOIlA1u6Aaz37YQr9gB1yi3/AgMBAAGjHTAbMAwGA1UdEwQF
MAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCnCYd5FmC8UkkS
VMv5ygUjScY/mykXsVo1kIuFDG+rmloZa6UMPgxJ9bq8IbnCkeFmq4jh+qqQXziy
ByB74Uu7PlXRZLnbf9utxvNJM7ixF1DhPBsbkifWkNuIFsehpKpqDZMzLguzYXwy
P0hU/IGftFSmFpvLt+rIXXMXEprnp9TcI7hYg1GeDciJhUzxU6OvtBadHufmqlou
rKwbMYDU6kmNEJP3R2K+5hnZaPVoUxNWbOA0ii2XJjd6W03In4XwmgwfB+mYbXXt
gpMazm4XetDpFvz4e+yULmegTjh485Ew+B319A/Vt13MODCGlSTcLaEd4cXjeiiY
5j5rsTGs
-----END CERTIFICATE-----

- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP256R1
 - Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL
- Channel binding 'tls-unique': ce2ce1f0f8aef33032eb8484

------------------------>8------------------------

--
Francesco * Often in error, never in doubt