[Bug 253060] sendmail submit is unable to verify certificate

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 08 Jul 2021 12:51:11 UTC

--- Comment #3 from Michael Osipov <michael.osipov@siemens.com> ---
I have played around a bit what Leo has written.
The patch cannot be applied as such. If /etc/ssl/cert.pem does not exist
sendmail will say:
> Jul  8 14:32:44 deblndw013x3j sm-mta[90513]: STARTTLS=client: file /etc/ssl/cert.pem unsafe: No such file or directory
> Jul  8 14:32:44 deblndw013x3j sm-mta[90513]: STARTTLS=client, error: load verify locs /etc/ssl/certs, /etc/ssl/cert.pem failed: 0
> Jul  8 14:32:44 deblndw013x3j sm-mta[90513]: STARTTLS=client, relay=mail2.siemens.de., version=TLSv1.2, verify=FAIL, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256
Even if /etc/ssl/certs will contain valid hashed links.

Now if you consider to prepend a dnl because you don't have such a file it will
fail also.
The only valid options I see are
* to leave confCACERT as-is and fix confCACERT_PATH only
* tell sendmail not to verify any paths and leave it to OpenSSL which will do
the right thing. With that you can drop confCACERT if it does not exist
* apply libfetch's approach and set default's if neither is set:

So this does work for me now:
> define(`confCACERT', `CERT_DIR/cacert.pem')dnl
> define(`confCACERT_PATH', `/etc/ssl/certs')dnl
> Jul  8 14:51:27 deblndw013x3j sm-mta[90897]: STARTTLS=client, relay=mail3.siemens.de., version=TLSv1.2, verify=OK, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256

I prefer option 2 AND 3

You are receiving this mail because:
You are the assignee for the bug.