MavEtJu's Distorted View of the World - SSL

Server SSL vs Client SSL

Posted on 2004-05-02 00:03:20, modified on 2006-01-09 16:29:22
Tags: Networking, SSL

We at BarNet purchased a wildcard certificate from FreeSSL to secure our web transactions, to authenticate our IMAP and POP servers and to support TLS for the SMTP sessions.

TLS (Transport Layer Security) for SMTP consists of two parts

The server side for receiving email, where the identity of your server can be verified:
Verified: subject_CN=*.barnet.com.au, issuer=ChainedSSL CA
A client side for sending of email, where your server identifies itself at the other MTA:
Verified: subject_CN=edwin.adsl.barnet.com.au, issuer=BarNet Root Certificate Authority

The above example works because the certificate my MTA presents is an internal client certificate. But the official certificate which we purchased is only valid for server usage, not for client usage.

   Issuer: C=US, O=FreeSSL, CN=ChainedSSL CA
    Subject: C=AU, O=*.barnet.com.au,
        OU=https://services.choicepoint.net/get.jsp?430367485,
        OU=See www.freessl.com/cps (c)04,
        OU=Domain Control Validated,
        CN=*.barnet.com.au
    X509v3 extensions:
       Netscape Cert Type: 
            SSL Server

Note there that it only says "SSL Server" and not "SSL Client".

With the result that we see this in our logfiles:

May  1 00:01:03 mag postfix-dbmail/smtpd[54595]: verify error:num=26:unsupported certificate purpose
May  1 00:01:03 mag postfix-dbmail/smtpd[54595]: Unverified: subject_CN=*.barnet.com.au, issuer=ChainedSSL CA

Oh well, this just means that we for outgoing sessions are using our self-signed certficates again. Moral of the story: make sure you know what you get.

No comments | Share on Facebook | Share on Twitter