[Bug 253060] sendmail submit is unable to verify certificate

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 08 Jul 2021 12:51:11 +0000
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253060

--- Comment #3 from Michael Osipov <michael.osipov_at_siemens.com> ---
I have played around a bit what Leo has written.
The patch cannot be applied as such. If /etc/ssl/cert.pem does not exist
sendmail will say:
> Jul  8 14:32:44 deblndw013x3j sm-mta[90513]: STARTTLS=client: file /etc/ssl/cert.pem unsafe: No such file or directory
> Jul  8 14:32:44 deblndw013x3j sm-mta[90513]: STARTTLS=client, error: load verify locs /etc/ssl/certs, /etc/ssl/cert.pem failed: 0
> Jul  8 14:32:44 deblndw013x3j sm-mta[90513]: STARTTLS=client, relay=mail2.siemens.de., version=TLSv1.2, verify=FAIL, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256
Even if /etc/ssl/certs will contain valid hashed links.

Now if you consider to prepend a dnl because you don't have such a file it will
fail also.
The only valid options I see are
* to leave confCACERT as-is and fix confCACERT_PATH only
* tell sendmail not to verify any paths and leave it to OpenSSL which will do
the right thing. With that you can drop confCACERT if it does not exist
* apply libfetch's approach and set default's if neither is set:
https://github.com/freebsd/freebsd-src/blob/373ffc62c158e52cde86a5b934ab4a51307f9f2e/lib/libfetch/common.c#L1105-L1109

So this does work for me now:
> define(`confCACERT', `CERT_DIR/cacert.pem')dnl
> define(`confCACERT_PATH', `/etc/ssl/certs')dnl
output:
> Jul  8 14:51:27 deblndw013x3j sm-mta[90897]: STARTTLS=client, relay=mail3.siemens.de., version=TLSv1.2, verify=OK, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256

I prefer option 2 AND 3

-- 
You are receiving this mail because:
You are the assignee for the bug.
Received on Thu Jul 08 2021 - 12:51:11 UTC

Original text of this message