[Pkg-openssl-devel] Bug#573748: Bug#573748: libssl0.9.8: unknown message digest algorithm error in postfix
Kurt Roeckx
kurt at roeckx.be
Sat Mar 13 17:19:47 UTC 2010
On Sat, Mar 13, 2010 at 05:37:27PM +0100, Richard van den Berg wrote:
> Package: libssl0.9.8
> Version: 0.9.8m-2
> Severity: important
>
> With this version I am not longer able to use my self signed signatures in
> postfix. The error that is reported in mail.log is:
>
> Mar 13 15:42:59 majoron postfix/smtpd[14710]: SSL_accept error from xxx.cable.ziggo.nl[94.209.xxx.yyy]: -1
> Mar 13 15:42:59 majoron postfix/smtpd[14710]: warning: TLS library problem: 14710:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146:
>
> I can reporduce the error with
>
> $ openssl s_client -connect vdberg.org:26 -CAfile /etc/ssl/certs/vdberg.org.ca.pem -starttls smtp
> CONNECTED(00000003)
> 5657:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
>
> This looks a lot like #541735 which was fixed in 0.9.8k-5
>
> Reverting back to libssl0.9.8_0.9.8k-7_amd64.deb solved this issue for me.
It seems upstream changed it from:
if (!xs->valid && xs != xi)
to:
if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
So that would mean something sets X509_V_FLAG_CHECK_SS_SIGNATURE?
The verify app can set that using -check_ss_sig, the x509 app always
seems to set that, but I really doubt that postfix sets that.
All the examples from #541735 work for me and return 0 for the
verify.
So I don't have a way to reproduce it. Can you send
vdberg.org.ca.pem?
Kurt
More information about the Pkg-openssl-devel
mailing list