Home page logo
/

nanog logo nanog mailing list archives

smtp.comcast.net self-signed certs
From: Jeff Mitchell <jeff () emailgoeshere com>
Date: Fri, 16 Jan 2009 00:09:11 -0500

I've been seeing some odd behavior today with some of the servers that respond to smtp.comcast.net on port 587. Some, but not all, of the servers are presenting self-signed certs, causing my own server to balk at making a connection. (The Organization is RTFM, Inc. -- it'd be funny if mail wasn't queueing up on my end). Sometimes I get a server with a legit cert, so I can slowly drain my queue by flushing it over and over and over...

openssl s_client output below. I can send a libpcap trace on request.

--Jeff

┌─(root () bookcase)(04:48:06)
└─(~)-> openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -connect smtp.comcast.net:587
CONNECTED(00000003)
depth=1 /C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/O=RTFM, Inc./OU=Widgets Division/CN=localhost
i:/C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
1 s:/C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
i:/C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICGDCCAYECAgEBMA0GCSqGSIb3DQEBBAUAMFcxCzAJBgNVBAYTAlVTMRMwEQYD
VQQKEwpSVEZNLCBJbmMuMRkwFwYDVQQLExBXaWRnZXRzIERpdmlzaW9uMRgwFgYD
VQQDEw9UZXN0IENBMjAwMTA1MTcwHhcNMDEwNTE3MTYxMDU5WhcNMDQwMzA2MTYx
MDU5WjBRMQswCQYDVQQGEwJVUzETMBEGA1UEChMKUlRGTSwgSW5jLjEZMBcGA1UE
CxMQV2lkZ2V0cyBEaXZpc2lvbjESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCiWhMjNOPlPLNW4DJFBiL2fFEIkHuRor0pKw25
J0ZYHW93lHQ4yxA6afQr99ayRjMY0D26pH41f0qjDgO4OXskBsaYOFzapSZtQMbT
97OCZ7aHtK8z0ZGNW/cslu+1oOLomgRxJomIFgW1RyUUkQP1n0hemtUdCLOLlO7Q
CPqZLQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAIumUwl1OoWuyN2xfoBHYAs+lRLY
KmFLoI5+iMcGxWIsksmA+b0FLRAN43wmhPnums8eXgYbDCrKLv2xWcvKDP3mps7m
AMivwtu/eFpYz6J8Mo1fsV4Ys08A/uPXkT23jyKo2hMu8mywkqXCXYF2e+7pEeBr
dsbmkWK5NgoMl8eM
-----END CERTIFICATE-----
subject=/C=US/O=RTFM, Inc./OU=Widgets Division/CN=localhost
issuer=/C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
---
No client certificate CA names sent
---
SSL handshake has read 1965 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 8B976D67A76BBFEF5E46CA9D079C1C1208D037B8F5825049C45B57C05786A891
Session-ID-ctx:
Master-Key: 4DC43D803056BF32082F3E35B2818539E33B7321455AD625D3AD124BAD719C12C5903C9F1889EAB7A5F313B9A54D74A6
Key-Arg : None
Start Time: 1232081287
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250 OK


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault