Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 08 Jul 2021 12:51:11 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 253060] sendmail submit is unable to verify certificate
Message-ID:  <bug-253060-227-lwtFySJPeW@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-253060-227@https.bugs.freebsd.org/bugzilla/>
References:  <bug-253060-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D253060

--- Comment #3 from Michael Osipov <michael.osipov@siemens.com> ---
I have played around a bit what Leo has written.
The patch cannot be applied as such. If /etc/ssl/cert.pem does not exist
sendmail will say:
> Jul  8 14:32:44 deblndw013x3j sm-mta[90513]: STARTTLS=3Dclient: file /etc=
/ssl/cert.pem unsafe: No such file or directory
> Jul  8 14:32:44 deblndw013x3j sm-mta[90513]: STARTTLS=3Dclient, error: lo=
ad verify locs /etc/ssl/certs, /etc/ssl/cert.pem failed: 0
> Jul  8 14:32:44 deblndw013x3j sm-mta[90513]: STARTTLS=3Dclient, relay=3Dm=
ail2.siemens.de., version=3DTLSv1.2, verify=3DFAIL, cipher=3DDHE-RSA-AES256=
-GCM-SHA384, bits=3D256/256
Even if /etc/ssl/certs will contain valid hashed links.

Now if you consider to prepend a dnl because you don't have such a file it =
will
fail also.
The only valid options I see are
* to leave confCACERT as-is and fix confCACERT_PATH only
* tell sendmail not to verify any paths and leave it to OpenSSL which will =
do
the right thing. With that you can drop confCACERT if it does not exist
* apply libfetch's approach and set default's if neither is set:
https://github.com/freebsd/freebsd-src/blob/373ffc62c158e52cde86a5b934ab4a5=
1307f9f2e/lib/libfetch/common.c#L1105-L1109

So this does work for me now:
> define(`confCACERT', `CERT_DIR/cacert.pem')dnl
> define(`confCACERT_PATH', `/etc/ssl/certs')dnl
output:
> Jul  8 14:51:27 deblndw013x3j sm-mta[90897]: STARTTLS=3Dclient, relay=3Dm=
ail3.siemens.de., version=3DTLSv1.2, verify=3DOK, cipher=3DDHE-RSA-AES256-G=
CM-SHA384, bits=3D256/256

I prefer option 2 AND 3

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-253060-227-lwtFySJPeW>