Bug 1004998 - SSL not working
Summary: SSL not working
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: ssmtp
Version: 19
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: manuel wolfshant
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-06 01:49 UTC by Eric Christensen
Modified: 2015-08-26 19:08 UTC (History)
14 users (show)

Fixed In Version: ssmtp-2.64-10.fc18
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-21 04:37:47 UTC


Attachments (Terms of Use)
ssmtp configuration file (1.38 KB, text/plain)
2013-09-06 15:42 UTC, Eric Christensen
no flags Details
strace log of ssmtp (22.13 KB, text/x-log)
2013-09-06 15:42 UTC, Eric Christensen
no flags Details

Description Eric Christensen 2013-09-06 01:49:58 UTC
Description of problem: When I try to connect to my SMTP server to transmit messages I get a cannot connect error.

Version-Release number of selected component (if applicable): 2.64-9.fc19


How reproducible: Always


Steps to Reproduce:
1. Send message
2. Watch for error
3. Fail

Actual results: System fails to connect to SMTP server.


Expected results: System connects and transmits messages.


Additional info:
It appears that SSMTP isn't able to verify the certificate.  Here is information from /var/log/maillog:

sSMTP[26902]: Set AuthUser="USERNAME"
sSMTP[26902]: Set AuthPass="PASSWORD"
sSMTP[26902]: Creating SSL connection to host
sSMTP[26902]: SSL not working: certificate verify failed (20)
sSMTP[26902]: Cannot open box389.bluehost.com:465

and

sSMTP[27323]: Set AuthUser="USERNAME"
sSMTP[27323]: Set AuthPass="PASSWORD"
sSMTP[27323]: Creating SSL connection to host
sSMTP[27323]: SSL not working: unknown protocol (0)
sSMTP[27323]: Cannot open box389.bluehost.com:25

I did not have this problem under Fedora 18.  In Fedora 19 I'm seeing this problem (after upgrade and with a fresh install).

Comment 1 Stef Walter 2013-09-06 14:31:11 UTC
Are there SeLinux failures? Does switching off selinux solve the problem?

Are you able to provide complete instructions for reproducing the issue? Or are you able provide access (perhaps by emailing me with credentials) to a system where this issue is present.

Comment 2 Eric Christensen 2013-09-06 14:41:16 UTC
I'm not getting any SELinux failures and disabling SELinux does *not* fix the problem.

I can set you up an account and let you experiment.

Comment 3 Eric Christensen 2013-09-06 15:42:16 UTC
Created attachment 794826 [details]
ssmtp configuration file

Comment 4 Eric Christensen 2013-09-06 15:42:50 UTC
Created attachment 794827 [details]
strace log of ssmtp

Comment 5 Kai Engert (:kaie) (inactive account) 2013-09-06 16:55:32 UTC
ssmtp doesn't load the system's default set of trusted CAs automatically.

It was necessary to add 
  TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt
to the ssmtp.conf file.

tmraz, do you know if openssl had loaded the CA bundle automatically on F18?
If yes, this is a regression, and ssmtp should be changed to load that bundle automatically, if no TLS_CA_* option is given.

Comment 6 Tomas Mraz 2013-09-06 17:04:05 UTC
It does not load CAs automatically unless you call the appropriate function from the OpenSSL API to load the default CA bundle.

Comment 7 Till Maas 2013-09-06 20:34:04 UTC
(In reply to Kai Engert (:kaie) from comment #5)

> tmraz, do you know if openssl had loaded the CA bundle automatically on F18?
> If yes, this is a regression, and ssmtp should be changed to load that
> bundle automatically, if no TLS_CA_* option is given.

ssmtp did not verify the certificate at all until recently (except if a client certifcate is used). But it still does not verify the hostname of certificates, see bug 864894.

Comment 8 manuel wolfshant 2013-09-07 12:12:58 UTC
Eric, can you confirm that adding
   TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt 
to the config file solves your problem ?

I could add that to the default config, if it gets confirmed as being a proper workaround

Comment 9 Eric Christensen 2013-09-09 13:22:35 UTC
(In reply to manuel wolfshant from comment #8)
> Eric, can you confirm that adding
>    TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt 
> to the config file solves your problem ?
> 
> I could add that to the default config, if it gets confirmed as being a
> proper workaround

Yes, this fixes the problem.  I'll need to do some additional tests on postfix as I was also seeing the problem there.

Comment 10 Chris Bennett 2013-09-22 16:21:08 UTC
I can confirm that adding:
TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt
to my ssmtp.conf resolves the error:
SSL not working: certificate verify failed (20)

Comment 11 Fedora Update System 2013-09-27 08:43:06 UTC
ssmtp-2.64-10.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/ssmtp-2.64-10.fc19

Comment 12 Fedora Update System 2013-09-27 08:43:19 UTC
ssmtp-2.64-10.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/ssmtp-2.64-10.fc18

Comment 13 Fedora Update System 2013-09-27 08:43:29 UTC
ssmtp-2.64-10.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/ssmtp-2.64-10.fc20

Comment 14 Fedora Update System 2013-09-28 00:17:08 UTC
Package ssmtp-2.64-10.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ssmtp-2.64-10.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17802/ssmtp-2.64-10.fc18
then log in and leave karma (feedback).

Comment 15 Kostya Vasilyev 2013-11-19 09:41:55 UTC
Same issue in Fedora 20 beta, ssmtp-2.64-10.fc20.x86_64:

Sending mail works fine if not using SSL/TLS, fails when enabled:

Console:

[<-] 220 smtp50.i.mail.ru ESMTP ready
[->] EHLO roxy
[<-] 250 STARTTLS
[->] STARTTLS
[<-] 220 2.0.0 Start TLS
ssmtp: Cannot open smtp.mail.ru:587

/var/log/maillog

Nov 19 13:38:52 fiona sSMTP[4725]: Creating SSL connection to host
Nov 19 13:38:52 fiona sSMTP[4725]: SSL not working: certificate verify failed (20)
Nov 19 13:38:52 fiona sSMTP[4725]: Cannot open smtp.mail.ru:587

Adding TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt to /etc/ssmtp/ssmtp.conf fixes the issue, making SSL /TLS work again, but shouldn't this work "out of the box"?

Comment 16 manuel wolfshant 2013-11-19 10:15:58 UTC
(In reply to Kostya Vasilyev from comment #15)
> Same issue in Fedora 20 beta, ssmtp-2.64-10.fc20.x86_64:
> 
> Sending mail works fine if not using SSL/TLS, fails when enabled:
> 
> Console:
[...]
> Adding TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt to /etc/ssmtp/ssmtp.conf
> fixes the issue, making SSL /TLS work again, but shouldn't this work "out of
> the box"?



The current config file includes the following fragment:

#UseTLS=YES
#IMPORTANT: Uncomment the following line if you use TLS authentication
#TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt


Do you suggest to uncomment those by default ?

Comment 17 Kostya Vasilyev 2013-11-19 19:22:17 UTC
Thank you Manuel for pointing out the obvious, I must copied my ssmtp config files from Ubuntu (where it worked with TLS/SSL without that line)...

Any reason not to load the root certificates by default, even without this setting? Does the upstream not load, unless the explicit option is given?

If that's the case, maybe the best thing to do is treat my comment as "user error".

Comment 18 manuel wolfshant 2013-11-19 20:01:30 UTC
I have just done a quick check and the debian version of the config file is much simpler than the one installed by our package:
---------- start debian version ---------
#
# Config file for sSMTP sendmail
#
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
root=

# The place where the mail goes. The actual machine name is required no
# MX records are consulted. Commonly mailhosts are named mail.domain.com
mailhub=mail

# Where will the mail seem to come from?
#rewriteDomain=

# The full hostname
hostname=$ACTUALHOSTNAME

# Are users allowed to set their own From: address?
# YES - Allow the user to specify their own From: address
# NO - Use the system generated From: address
#FromLineOverride=YES
----------- end debian version -----------

I guess we could load the certificates by default but I am a bit reluctant because I do not know the code so well. Not to mention that activating SSL MUST be made by modifying the config file ( i.e. removing the "#" in front of UseTLS) so I'd say it's not a real effort to do the same edit again two lines below.

Comment 19 Fedora Update System 2013-11-21 04:37:47 UTC
ssmtp-2.64-10.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2014-01-10 07:41:41 UTC
ssmtp-2.64-10.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2014-01-10 07:46:53 UTC
ssmtp-2.64-10.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Thomas Schweikle 2014-06-02 11:50:06 UTC
With the latest version of ssmtp it is not possible any more to use ssl/tls, but without verifying the certificate -- this breaks various systems using self signed certs for encryption.

Comment 23 Till Maas 2014-06-02 13:52:22 UTC
(In reply to Thomas Schweikle from comment #22)
> With the latest version of ssmtp it is not possible any more to use ssl/tls,
> but without verifying the certificate -- this breaks various systems using
> self signed certs for encryption.

You can download the self signed certs and specify them with the TLS_CA_File directive. Self-signed does not mean you cannot verify.

Comment 24 Marcin Juszkiewicz 2014-08-16 23:33:19 UTC
I gave up.

config:

root=postmaster
mailhub=mail.juszkiewicz.com.pl
AuthUser=proper-existing-user
AuthPass=proper-password
UseSTARTTLS=yes
UseTLS=YES
TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt
TLSCert=/etc/ssl/private/ssl-mail.key
Debug=YES

where /etc/ssl/private/ssl-mail.key is the same key as postfix is using on mail.juszkiewicz.com.pl

'echo "test" | ssmtp existing-user@juszkiewicz.com.pl -v -d9' ends with:

sie 17 01:24:59 puchatek sSMTP[9726]: Set Root="postmaster"
sie 17 01:24:59 puchatek sSMTP[9726]: Set MailHub="mail.juszkiewicz.com.pl"
sie 17 01:24:59 puchatek sSMTP[9726]: Set RemotePort="25"
sie 17 01:24:59 puchatek sSMTP[9726]: Set AuthUser="test"
sie 17 01:24:59 puchatek sSMTP[9726]: Set AuthPass="jakieshaslo"
sie 17 01:24:59 puchatek sSMTP[9726]: Set UseSTARTTLS="True"
sie 17 01:24:59 puchatek sSMTP[9726]: Set UseTLS="True"
sie 17 01:24:59 puchatek sSMTP[9726]: Set TLS_CA_File="/etc/pki/tls/certs/ca-bundle.crt"
sie 17 01:24:59 puchatek sSMTP[9726]: Set TLSCert="/etc/ssl/private/ssl-mail.key"
sie 17 01:25:00 puchatek sSMTP[9726]: Creating SSL connection to host
sie 17 01:25:00 puchatek sSMTP[9726]: 220 malenstwo.juszkiewicz.com.pl ESMTP Postfix (Ubuntu)
sie 17 01:25:00 puchatek sSMTP[9726]: EHLO puchatek
sie 17 01:25:00 puchatek sSMTP[9726]: 250 DSN
sie 17 01:25:00 puchatek sSMTP[9726]: STARTTLS
sie 17 01:25:00 puchatek sSMTP[9726]: 220 2.0.0 Ready to start TLS
sie 17 01:25:00 puchatek sSMTP[9726]: SSL not working: certificate verify failed (18)
sie 17 01:25:00 puchatek sSMTP[9726]: Cannot open mail.juszkiewicz.com.pl:25

01:32 root@puchatek:private# ll -Z
razem 12
-rw-rw-r--. 1 root root system_u:object_r:cert_t:s0 1704 08-17 01:07 malenstwo-mail.pem
-rw-r--r--. 1 root root system_u:object_r:cert_t:s0  887 08-17 01:10 ssl-mail.key
-rw-r--r--. 1 root root system_u:object_r:cert_t:s0  652 08-17 01:17 ssl-mail.pem

what is wrong then?

Comment 25 Vladimir Atanackovic 2015-08-26 10:11:24 UTC
@Marcin: try adding the certificate in /usr/share/pki/ca-trust-source/anchors/ followed by "update-ca-trust", that should solve it.


Note You need to log in before you can comment on or make changes to this bug.