[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gnutls error
At Mon, 08 Oct 2012 13:39:48 +0900,
Kazuhiro Ito wrote:
> Because --starttls option makes gnutls-cli to establish a plain
> session, errors related certificate never occur at this step. If you
> want to dig what happens, you need to start TLS explicitly.
>
> 1. After the plain session is established, send `STARTTLS' commands to
> your SMTP server.
>
> STARTTLS
>
> 2. Send SIGALRM to gnutls-cli
>
> $ kill -ALRM (process id of gnults-cli)
Thanks for your answer.
It does seem to succeed:
------------------------8<------------------------
$ gnutls-cli --verbose --port 465 --insecure --starttls --x509cafile /etc/ssl/certs/ca-certificates.crt smtp.rabbitmq.com
Processed 152 CA certificate(s).
Resolving 'smtp.rabbitmq.com'...
Connecting to '208.91.1.34:465'...
|<1>| Note that the security level of the Diffie-Hellman key exchange has been lowered to 512 bits and this may allow decryption of the session data
- Simple Client Mode:
- Received[67]: 220 smtp.rabbitmq.com ESMTP Postfix (Breeding Rabbits since 2006)
STARTTLS
- Sent: 9 bytes
- Received[30]: 220 2.0.0 Ready to start TLS
*** Starting TLS handshake
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- The hostname in the certificate matches 'smtp.rabbitmq.com'.
*** Verifying server certificate failed...
- Server's trusted authorities:
[0]: OU=RabbitMQ CA,O=RabbitMQ,ST=London,L=London,C=GB,EMAIL=info@rabbitmq.com,CN=RabbitMQ CA
- Successfully sent 0 certificate(s) to server.
- Session ID: 03:E7:BA:35:8A:7F:4B:B6:10:09:94:25:33:5A:8C:AA:6E:34:D8:AE:DA:3F:E0:1E:C3:35:31:F7:3E:B4:F8:92
- Server has requested a certificate.
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- X.509 Certificate Information:
Version: 3
Serial Number (hex): 03
Issuer: OU=RabbitMQ CA,O=RabbitMQ,ST=London,L=London,C=GB,EMAIL=info@rabbitmq.com,CN=RabbitMQ CA
Validity:
Not Before: Sat May 15 23:55:19 UTC 2010
Not After: Tue May 12 23:55:19 UTC 2020
Subject: CN=smtp.rabbitmq.com,ST=London,C=GB,EMAIL=info@rabbitmq.com,O=RabbitMQ
Subject Public Key Algorithm: RSA
Certificate Security Level: Legacy (2048 bits)
Modulus (bits 2048):
00:d5:f2:3a:b9:02:26:4a:5d:b6:3e:35:98:c6:7f:f3
30:d8:53:90:e7:c6:1a:e4:a3:d7:05:bf:f5:9a:3a:8a
be:68:25:77:07:58:1a:72:78:b7:fc:73:1a:98:42:e3
6b:6d:87:8d:ae:f2:f7:52:c2:a0:d2:d3:fb:60:a2:ea
93:b1:ec:a5:09:b1:e9:70:1f:84:a7:cd:8d:b2:ca:f5
10:0d:40:f6:e3:4f:18:ea:b3:3e:a6:d2:92:94:90:3f
12:8c:16:30:fe:4e:0d:52:9f:d3:8f:fc:72:b9:d8:e8
48:6b:7e:3a:4c:5e:87:b8:04:b4:33:07:0b:b5:d1:92
b6:fe:56:22:12:6a:b6:f4:3b:9c:bb:7b:ab:b5:24:41
01:62:d5:2e:dc:3a:ed:b6:ef:be:9a:ce:3c:34:97:3f
0e:a7:d1:93:22:56:b1:09:90:d8:2f:f3:f7:b9:a9:c0
7c:91:dd:ec:49:2e:a0:aa:db:a4:b6:30:63:ae:f4:1f
77:e2:c4:30:20:ee:33:52:d3:66:05:d5:cd:c1:a0:98
63:42:fe:ee:0e:32:ac:5b:3f:14:2b:82:ad:20:ae:ea
a8:cd:35:5d:c5:f7:db:ea:f6:ac:17:db:01:fe:fe:b1
d3:b2:b7:11:ed:ed:79:ef:d5:1d:6f:10:88:f6:be:71
3d
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (not critical):
Certificate Authority (CA): FALSE
Key Usage (not critical):
Digital signature.
Key encipherment.
Key Purpose (not critical):
TLS WWW Client.
TLS WWW Server.
Signature Algorithm: RSA-SHA1
Signature:
84:7c:1b:f0:0a:b5:5f:19:38:ed:f5:fa:45:1d:3c:7f
4b:9c:eb:47:1a:ef:6b:8d:4a:9b:a0:e1:ac:d7:27:84
bd:d3:17:a5:cf:9c:6b:b7:3c:d5:90:0b:f8:18:32:59
21:c8:d9:23:dc:05:bf:aa:98:0d:77:25:54:99:22:72
db:57:27:8c:e2:03:dd:e1:93:0f:9d:2d:c2:11:2b:5c
ef:8a:a1:e1:a5:bd:92:90:30:cd:3c:5d:70:41:bb:ee
14:f1:60:c8:ce:06:c2:e6:d2:77:92:c2:24:c4:f6:74
d2:cd:c8:4f:22:66:d5:55:bc:33:76:1c:40:7c:dd:40
c4:7a:a5:9f:97:61:69:77:47:b1:8f:03:95:57:90:ce
8d:fd:9b:8d:5c:32:2b:e1:76:5e:ca:57:4e:c7:5c:4e
f1:c7:c9:e3:0e:db:e6:52:87:f6:a9:e0:78:28:4d:65
7b:d7:d4:42:a0:52:6d:92:a3:0b:90:bd:61:36:ac:a4
da:2c:e3:b1:98:39:1d:75:56:55:14:e8:d3:32:94:d4
2d:e8:e5:28:60:57:63:e3:09:70:66:1b:71:ac:99:60
6d:6b:d0:b4:62:27:4e:49:ed:d1:d9:b7:5c:ab:43:96
bd:60:ac:dd:c5:96:dd:eb:e7:6c:9d:b5:f1:e1:86:db
Other Information:
SHA-1 fingerprint:
b2fe96adc14e412fc2889be90fbe1e8e281745b3
Public Key Id:
5aa983b7e5f2253ad142a08ed1fd0e50fa9ef1d7
Public key's random art:
+--[ RSA 2048]----+
| |
| o |
| . = . |
|. = . . . |
| + o o .S |
|. . +.++. |
| ..*=oo.. |
| o.=*.oE |
| o=o |
+-----------------+
-----BEGIN CERTIFICATE-----
MIIDtDCCApygAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBkDEUMBIGA1UECxMLUmFi
Yml0TVEgQ0ExETAPBgNVBAoTCFJhYmJpdE1RMQ8wDQYDVQQIEwZMb25kb24xDzAN
BgNVBAcTBkxvbmRvbjELMAkGA1UEBhMCR0IxIDAeBgkqhkiG9w0BCQEWEWluZm9A
cmFiYml0bXEuY29tMRQwEgYDVQQDEwtSYWJiaXRNUSBDQTAeFw0xMDA1MTUyMzU1
MTlaFw0yMDA1MTIyMzU1MTlaMG8xGjAYBgNVBAMTEXNtdHAucmFiYml0bXEuY29t
MQ8wDQYDVQQIEwZMb25kb24xCzAJBgNVBAYTAkdCMSAwHgYJKoZIhvcNAQkBFhFp
bmZvQHJhYmJpdG1xLmNvbTERMA8GA1UEChMIUmFiYml0TVEwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDV8jq5AiZKXbY+NZjGf/Mw2FOQ58Ya5KPXBb/1
mjqKvmgldwdYGnJ4t/xzGphC42tth42u8vdSwqDS0/tgouqTseylCbHpcB+Ep82N
ssr1EA1A9uNPGOqzPqbSkpSQPxKMFjD+Tg1Sn9OP/HK52OhIa346TF6HuAS0MwcL
tdGStv5WIhJqtvQ7nLt7q7UkQQFi1S7cOu22776azjw0lz8Op9GTIlaxCZDYL/P3
uanAfJHd7EkuoKrbpLYwY670H3fixDAg7jNS02YF1c3BoJhjQv7uDjKsWz8UK4Kt
IK7qqM01XcX32+r2rBfbAf7+sdOytxHt7Xnv1R1vEIj2vnE9AgMBAAGjOTA3MAkG
A1UdEwQCMAAwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
BQcDATANBgkqhkiG9w0BAQUFAAOCAQEAhHwb8Aq1Xxk47fX6RR08f0uc60ca72uN
Spug4azXJ4S90xelz5xrtzzVkAv4GDJZIcjZI9wFv6qYDXclVJkicttXJ4ziA93h
kw+dLcIRK1zviqHhpb2SkDDNPF1wQbvuFPFgyM4GwubSd5LCJMT2dNLNyE8iZtVV
vDN2HEB83UDEeqWfl2Fpd0exjwOVV5DOjf2bjVwyK+F2XspXTsdcTvHHyeMO2+ZS
h/ap4HgoTWV719RCoFJtkqMLkL1hNqyk2izjsZg5HXVWVRTo0zKU1C3o5ShgV2Pj
CXBmG3GsmWBta9C0YidOSe3R2bdcq0OWvWCs3cWW3evnbJ218eGG2w==
-----END CERTIFICATE-----
- Certificate[1] info:
- X.509 Certificate Information:
Version: 3
Serial Number (hex): 009a6800aef707e678
Issuer: OU=RabbitMQ CA,O=RabbitMQ,ST=London,L=London,C=GB,EMAIL=info@rabbitmq.com,CN=RabbitMQ CA
Validity:
Not Before: Sat May 15 23:43:48 UTC 2010
Not After: Wed Feb 12 23:43:48 UTC 2020
Subject: OU=RabbitMQ CA,O=RabbitMQ,ST=London,L=London,C=GB,EMAIL=info@rabbitmq.com,CN=RabbitMQ CA
Subject Public Key Algorithm: RSA
Certificate Security Level: Legacy (2048 bits)
Modulus (bits 2048):
00:bc:47:11:5b:3f:c3:5b:5a:88:4b:cb:77:06:24:ff
39:16:94:24:10:96:3a:c7:6a:28:63:24:57:7d:47:2b
05:c9:ed:ec:a4:f6:44:34:10:a7:d5:e4:59:53:b0:10
0c:07:98:ea:a9:01:c0:fd:4a:48:e9:a0:f0:58:ec:c2
49:34:b9:7e:3b:7d:b9:14:6b:8f:ec:87:5a:72:93:9f
ea:0c:29:14:2f:38:10:f2:6b:5a:76:73:d4:d2:9f:02
03:54:67:44:1b:73:57:96:26:1f:6f:d7:65:c2:62:4e
e8:86:18:7c:ef:01:f1:6d:b5:70:46:3f:4d:10:15:ce
f6:27:c9:a8:ab:57:e2:84:51:3d:9d:68:30:55:e8:b5
8e:36:a7:ca:64:e4:de:b3:80:47:f6:0b:4f:ed:6d:a2
5b:a9:c0:3a:0e:54:d0:b4:15:ee:6b:1b:73:0f:28:f0
c8:34:20:57:ea:6e:69:0c:a4:55:ad:ad:28:42:d4:9e
1b:8a:02:90:af:0d:c3:cf:db:b7:07:bf:46:3c:65:69
d6:b6:2d:a2:ea:cb:6c:4c:73:f3:46:c3:ca:ae:1e:3c
5c:9d:fb:03:65:16:a2:02:8b:47:55:7e:ce:68:24:74
e2:25:03:5b:ba:01:ac:f7:ed:84:2b:f6:00:75:ca:2d
ff
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (not critical):
Certificate Authority (CA): TRUE
Key Usage (not critical):
Certificate signing.
CRL signing.
Signature Algorithm: RSA-SHA1
Signature:
a7:09:87:79:16:60:bc:52:49:12:54:cb:f9:ca:05:23
49:c6:3f:9b:29:17:b1:5a:35:90:8b:85:0c:6f:ab:9a
5a:19:6b:a5:0c:3e:0c:49:f5:ba:bc:21:b9:c2:91:e1
66:ab:88:e1:fa:aa:90:5f:38:b2:07:20:7b:e1:4b:bb
3e:55:d1:64:b9:db:7f:db:ad:c6:f3:49:33:b8:b1:17
50:e1:3c:1b:1b:92:27:d6:90:db:88:16:c7:a1:a4:aa
6a:0d:93:33:2e:0b:b3:61:7c:32:3f:48:54:fc:81:9f
b4:54:a6:16:9b:cb:b7:ea:c8:5d:73:17:12:9a:e7:a7
d4:dc:23:b8:58:83:51:9e:0d:c8:89:85:4c:f1:53:a3
af:b4:16:9d:1e:e7:e6:aa:5a:2e:ac:ac:1b:31:80:d4
ea:49:8d:10:93:f7:47:62:be:e6:19:d9:68:f5:68:53
13:56:6c:e0:34:8a:2d:97:26:37:7a:5b:4d:c8:9f:85
f0:9a:0c:1f:07:e9:98:6d:75:ed:82:93:1a:ce:6e:17
7a:d0:e9:16:fc:f8:7b:ec:94:2e:67:a0:4e:38:78:f3
91:30:f8:1d:f5:f4:0f:d5:b7:5d:cc:38:30:86:95:24
dc:2d:a1:1d:e1:c5:e3:7a:28:98:e6:3e:6b:b1:31:ac
Other Information:
SHA-1 fingerprint:
a014aac2a8eb4ea50434bbba7cd2668dacfba43a
Public Key Id:
fd7ad559768afc57a95f259ac42bd160078731df
Public key's random art:
+--[ RSA 2048]----+
| +o. |
| .= . |
| o o E |
| o = +|
| S o.+..+*|
| +o+o++|
| . =o. o|
| o... o|
| .. .o |
+-----------------+
-----BEGIN CERTIFICATE-----
MIIDwjCCAqqgAwIBAgIJAJpoAK73B+Z4MA0GCSqGSIb3DQEBBQUAMIGQMRQwEgYD
VQQLEwtSYWJiaXRNUSBDQTERMA8GA1UEChMIUmFiYml0TVExDzANBgNVBAgTBkxv
bmRvbjEPMA0GA1UEBxMGTG9uZG9uMQswCQYDVQQGEwJHQjEgMB4GCSqGSIb3DQEJ
ARYRaW5mb0ByYWJiaXRtcS5jb20xFDASBgNVBAMTC1JhYmJpdE1RIENBMB4XDTEw
MDUxNTIzNDM0OFoXDTIwMDIxMjIzNDM0OFowgZAxFDASBgNVBAsTC1JhYmJpdE1R
IENBMREwDwYDVQQKEwhSYWJiaXRNUTEPMA0GA1UECBMGTG9uZG9uMQ8wDQYDVQQH
EwZMb25kb24xCzAJBgNVBAYTAkdCMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHJhYmJp
dG1xLmNvbTEUMBIGA1UEAxMLUmFiYml0TVEgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC8RxFbP8NbWohLy3cGJP85FpQkEJY6x2ooYyRXfUcrBcnt
7KT2RDQQp9XkWVOwEAwHmOqpAcD9SkjpoPBY7MJJNLl+O325FGuP7IdacpOf6gwp
FC84EPJrWnZz1NKfAgNUZ0Qbc1eWJh9v12XCYk7ohhh87wHxbbVwRj9NEBXO9ifJ
qKtX4oRRPZ1oMFXotY42p8pk5N6zgEf2C0/tbaJbqcA6DlTQtBXuaxtzDyjwyDQg
V+puaQykVa2tKELUnhuKApCvDcPP27cHv0Y8ZWnWti2i6stsTHPzRsPKrh48XJ37
A2UWogKLR1V+zmgkdOIlA1u6Aaz37YQr9gB1yi3/AgMBAAGjHTAbMAwGA1UdEwQF
MAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCnCYd5FmC8UkkS
VMv5ygUjScY/mykXsVo1kIuFDG+rmloZa6UMPgxJ9bq8IbnCkeFmq4jh+qqQXziy
ByB74Uu7PlXRZLnbf9utxvNJM7ixF1DhPBsbkifWkNuIFsehpKpqDZMzLguzYXwy
P0hU/IGftFSmFpvLt+rIXXMXEprnp9TcI7hYg1GeDciJhUzxU6OvtBadHufmqlou
rKwbMYDU6kmNEJP3R2K+5hnZaPVoUxNWbOA0ii2XJjd6W03In4XwmgwfB+mYbXXt
gpMazm4XetDpFvz4e+yULmegTjh485Ew+B319A/Vt13MODCGlSTcLaEd4cXjeiiY
5j5rsTGs
-----END CERTIFICATE-----
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP256R1
- Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL
- Channel binding 'tls-unique': ce2ce1f0f8aef33032eb8484
------------------------>8------------------------
--
Francesco * Often in error, never in doubt