From nobody Thu Jul 08 12:51:11 2021 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ED138D49E2 for ; Thu, 8 Jul 2021 12:51:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GLGPW1bX4z4vsT for ; Thu, 8 Jul 2021 12:51:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1FEAA2138D for ; Thu, 8 Jul 2021 12:51:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 168CpBjW046155 for ; Thu, 8 Jul 2021 12:51:11 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 168CpBvN046154 for bugs@FreeBSD.org; Thu, 8 Jul 2021 12:51:11 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 253060] sendmail submit is unable to verify certificate Date: Thu, 08 Jul 2021 12:51:11 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 12.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: michael.osipov@siemens.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D253060 --- Comment #3 from Michael Osipov --- I have played around a bit what Leo has written. The patch cannot be applied as such. If /etc/ssl/cert.pem does not exist sendmail will say: > Jul 8 14:32:44 deblndw013x3j sm-mta[90513]: STARTTLS=3Dclient: file /etc= /ssl/cert.pem unsafe: No such file or directory > Jul 8 14:32:44 deblndw013x3j sm-mta[90513]: STARTTLS=3Dclient, error: lo= ad verify locs /etc/ssl/certs, /etc/ssl/cert.pem failed: 0 > Jul 8 14:32:44 deblndw013x3j sm-mta[90513]: STARTTLS=3Dclient, relay=3Dm= ail2.siemens.de., version=3DTLSv1.2, verify=3DFAIL, cipher=3DDHE-RSA-AES256= -GCM-SHA384, bits=3D256/256 Even if /etc/ssl/certs will contain valid hashed links. Now if you consider to prepend a dnl because you don't have such a file it = will fail also. The only valid options I see are * to leave confCACERT as-is and fix confCACERT_PATH only * tell sendmail not to verify any paths and leave it to OpenSSL which will = do the right thing. With that you can drop confCACERT if it does not exist * apply libfetch's approach and set default's if neither is set: https://github.com/freebsd/freebsd-src/blob/373ffc62c158e52cde86a5b934ab4a5= 1307f9f2e/lib/libfetch/common.c#L1105-L1109 So this does work for me now: > define(`confCACERT', `CERT_DIR/cacert.pem')dnl > define(`confCACERT_PATH', `/etc/ssl/certs')dnl output: > Jul 8 14:51:27 deblndw013x3j sm-mta[90897]: STARTTLS=3Dclient, relay=3Dm= ail3.siemens.de., version=3DTLSv1.2, verify=3DOK, cipher=3DDHE-RSA-AES256-G= CM-SHA384, bits=3D256/256 I prefer option 2 AND 3 --=20 You are receiving this mail because: You are the assignee for the bug.=