Re: STARTTLS wierdness in sendmail 8.12.10-1

[Richard A Nelson <cowboy@debian.org>]

On Fri, 19 Sep 2003, Richard A Nelson wrote:

> 	* Client (MSP, user) failing to verify Server (MTA)
> 	  still looking at this one :(
> Sep 19 19:45:03 renegade sendmail[11890]: STARTTLS=client,
> relay=localhost.badlands.org., version=TLSv1/SSLv3, verify=FAIL,
> cipher=DHE-RSA-AES256-SHA, bits=256/256
> Sep 19 19:45:03 renegade sm-mta[11894]: STARTTLS=server, relay=localhost
> [127.0.0.1], version=TLSv1/SSLv3, verify=FAIL,
> cipher=DHE-RSA-AES256-SHA, bits=256/256
>
> 	Now both fail at verification :(

aha... in my case (all my boxen, in fact) the certificate just
expired !!!

I ran /usr/share/sendmail/update_tls new to create a new set of
certificates and things are now kosher !

Sep 19 21:22:20 renegade sendmail[22155]: STARTTLS=client,
relay=localhost.badlands.org., version=TLSv1/SSLv3, verify=OK,
cipher=DHE-RSA-AES256-SHA, bits=256/256
Sep 19 21:22:20 renegade sm-mta[22156]: STARTTLS=server, relay=localhost
[127.0.0.1], version=TLSv1/SSLv3, verify=OK, cipher=DHE-RSA-AES256-SHA,
bits=256/256

so, if you get a FAIL message, please check your expiration dates!
#openssl x509 -in /etc/mail/tls/sendmail-{server,client}.crt -enddate

-- 
Rick Nelson
Once upon a time there was a DOS user who saw Unix, and saw that it was
good. After typing cp on his DOS machine at home, he downloaded GNU's
unix tools ported to DOS and installed them. He rm'd, cp'd, and mv'd
happily for many days, and upon finding elvis, he vi'd and was happy. After
a long day at work (on a Unix box) he came home, started editing a file,
and couldn't figure out why he couldn't suspend vi (w/ ctrl-z) to do
a compile.
(By ewt@tipper.oit.unc.edu (Erik Troan)