LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-29-2003, 12:21 PM   #16
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30

What error are you getting now????

Did you try re-compiling Sendmail with SSL support????
 
Old 07-29-2003, 12:26 PM   #17
markstevens
Member
 
Registered: Jun 2003
Posts: 86

Rep: Reputation: 15
Quote:
Originally posted by markstevens
working on doing it all one more time by scratch....

but when I do:

openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem

while in /etc/mail/certs/CA and etc/mail/certs/CA/private/cakey.pem does exist

I get:
Error opening CA private key ./CA/private/cakey.pem

In the openssl.cnf file it lists the directory for everything as ./CA

What does the ./ do?

Anyway... I think if I can get past this glitch I can get this to work...
 
Old 07-29-2003, 12:30 PM   #18
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30
Fine but have you tried getting a source code version of Sendmail (not SSL) and tried compiling it yourself with SSL support?????
 
Old 07-29-2003, 01:00 PM   #19
markstevens
Member
 
Registered: Jun 2003
Posts: 86

Rep: Reputation: 15
nope...

Still trying to get the certificate 100% right and am stuck there now...

additionally... I have never compiled anything myself... I have always used the Redhat RPM utilities...
 
Old 07-29-2003, 02:51 PM   #20
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30
I dont think theres anything wrong with the certificate. The problem lies with the fact that Sendmail hasnt been compiled with SSL support. So to fix it you need to : -

a) get a copy of Sendmail in RPM format that has compiled in support for SSL

b)Get a source code copy of Sendmail and configure and make it to support SSL. its very simple: -

1. Tar zxvf Sendmail.TGZ
2. cd ./Sendmailsorcedirectory
3. ./configure --help (the help switch will assist you in identifying the Switch needed to conpile SSL support)
4. ./configure --WithSSL (or however its shown in help in step 3)
5. make
6. make install

Now all you got to do is start the Sendmail server (may have to expilicitly do this with SSL support via a switch)
 
Old 07-29-2003, 04:21 PM   #21
markstevens
Member
 
Registered: Jun 2003
Posts: 86

Rep: Reputation: 15
I have seen several articles on making changes to your site.config.m4 files and then using the make program to recompile. I am having trouble finding that... the big problem is that I have a downtime window of about 1 minute so I have to be able to get the old set up back instantly... which leaves me leary about walking down an unknown path. I am going to keep at it in my sort of slow sadistic way and will keep you updated on new changes.

As of now I do not get SSL not supported. I now get Error Reading From Network. Connection closed at host.
 
Old 07-29-2003, 04:28 PM   #22
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30
Have you got a spare mahine or something that you could test on???

If so try it out on that then if you know it works youve found your problem and can add ssl support to the system when down time wont be so problematic.

good luck any way, let me know how it goes

Dai
 
Old 07-30-2003, 10:38 AM   #23
markstevens
Member
 
Registered: Jun 2003
Posts: 86

Rep: Reputation: 15
ok... all the directions say to telnet to port 25 and say ehlo... well we do not allow telnet... actually I don't think it was installed. we use ssh... and I have not been able to ssh to port 25.

I ran a netstat -l and got

tcp 0 0 *op3s :*: LISTEN

I didn't find anthing about smtps if that matters?

so I should be good on the TLS right? Anything else I can try to see what options sendmail has available other than telnet to port 25?

No back up server right now and the word from the boss is... no joy on the rebuild..
 
Old 07-30-2003, 12:52 PM   #24
markstevens
Member
 
Registered: Jun 2003
Posts: 86

Rep: Reputation: 15
well this is great... I have it almost working.

Now it is telling me that the hostname does not match. But when I look at the details about it it tells me some host and some domain

It doesn't have any of the details of that actual certificate.

This is all so very confusing.

Ok some more details

This is what I get when trying to send...

Negotiation Rejected

You have configured this personality/protocol to reject any exchange key lengths below 0.
, But the negotiated exchange key length is -1
Hence this established secure channel is unacceptable. Connection will be dropped.

In the Security parameters in Cipher Suite Information it has null for the key exchange algorithm, encryption algorithm and Integrity check algorithm.


When I try to check mail I get...
Negotiation Failed
The security Parameters all look ok

The message is...
Certificate bad: Destination Host name does not match host name in certificate

Server Certificate : Verified OK

I currently have the host in the certificate set to
host.domain.com and my certificate information manager in Eudora says the server name is mail.domain.com so I am going to generate a new set of certificates with the host as mail.domain.com

Anything else????


Last edited by markstevens; 07-30-2003 at 01:41 PM.
 
Old 07-30-2003, 01:35 PM   #25
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30
when you setup the certificate you needed to specify the domain-name as the CN.
 
Old 07-30-2003, 02:33 PM   #26
markstevens
Member
 
Registered: Jun 2003
Posts: 86

Rep: Reputation: 15
OK... so you are saying that for the CN I should have mydomain.com?

I guess I can give that a try but that still doesn't explain why when I look at the certificate details it says:

E = root@localhost.localdomain
CN = localhost.localdomain
OU = SomeOrganizationalUnit
O = SomeOrganization
L = SomeCity
S = SomeState
C = --

Instead of the information I can view in the certificate...

I am finding this extremely frustrating. I have been at this for nearly a week. No wonder why so many people give up and go to Microsux products... never the less I will keep going until I figure out how to make this work...
 
Old 07-30-2003, 02:37 PM   #27
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30
Everything in the certificate appears as set-up.

Or defaults to a pre-defined value unless you put a . in the field which forces it to be blank.

the CN must read www.yourdomain.com
 
Old 07-30-2003, 03:36 PM   #28
markstevens
Member
 
Registered: Jun 2003
Posts: 86

Rep: Reputation: 15
well let's see.

I have tried the following for the CN

www.mydomain.com
mydomain.com
computername.mydomain.com
computername
mail.mydomain.com

where mydomain = the real domain name and computername = the actual host name of the computer.

I am still getting SSL Negotiation Failed: Certificate bad: Destination Host name does not match host name in Certificat Cause: (-6984)

My big question here is .... which Certificate is it talking about? The server certificate or the CA?

How can I find out what it wants the host name to be? as in what does it think the destination host name is? I have my Eudora set to check mail from mail.mydomain.com

Well I think I am just about to scrap this whole Idea and just set up outlook with exchange.

Everyone is always talking about making the internet more secure... yet you have to have a PHD in computer wizardry in order to get something as simple as STARTTLS to work... Unreal... no wonder why the world is so insecure...

(Sorry had to vent my frustrations somewhere.)

Last edited by markstevens; 07-30-2003 at 03:37 PM.
 
Old 07-30-2003, 03:59 PM   #29
cyberskye
Member
 
Registered: Feb 2003
Location: The City by the Bay
Posts: 116

Rep: Reputation: 15
Quote:
define(`confCACERT_PATH',`/usr/share/ssl/mycert')
define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/usr/share/ssl/mycert/mycert.cert')
define(`confSERVER_KEY',`/usr/share/ssl/mycert/mycert.key')
define(`confCLIENT_CERT',`/usr/share/ssl/mycert/mycert.cert')
define(`confCLIENT_KEY',`/usr/share/ssl/mycert/mycert.key')
Silly question, but you actually have a space between the variable and location, correct? Example - above, shouldn't

define(`confSERVER_KEY',`/usr/share/ssl/mycert/mycert.key')

Also: shouldn't

define(`confSERVER_KEY',`/usr/share/ssl/mycert/mycert.key')


be

define(`confSERVER_KEY', `/usr/share/ssl/mycert/mycert.key')

(that's an extra space after the comma)


Also found this -
"On systems which do not have the compile flag HASURANDOM set (see sendmail/README) you also must set confRAND_FILE"
 
Old 07-30-2003, 04:13 PM   #30
markstevens
Member
 
Registered: Jun 2003
Posts: 86

Rep: Reputation: 15
Yes I have the extra spaces. Actually those lines were already in my sendmail.mc file. All I had to do was mod them and uncomment them.

I do not see the confRAND_FILE in my sendmail.mc file nor do I see HASURANDOM so how can I tell if sendmail was compiled with HASURANDOM support?

By the way... yeah I have been scanning through the sendmail/readme file all day... actually printed it...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenSSL and its wonder Swakoo Linux - Newbie 9 03-22-2006 07:41 AM
Openssl velan Programming 1 05-16-2005 12:28 AM
OpenSSL Chiel Linux - Newbie 1 09-03-2004 04:52 PM
openssl abdullahgee Linux - Security 2 06-04-2004 01:36 PM
OpenSSL 0.9.6k kojiroh Solaris / OpenSolaris 2 10-09-2003 10:51 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration