TLS SMTP notification messages fail with expired certificate
Am using pfsense 2.3.3 development snapshot 2017-01-08.
When configuring SMTP notifications using STARTTLS over tcp port 587, test messages fail with "Error: could not start TLS connection encryption protocol".
A quick trace of the connection (details below) shows the connection proceeds normally through TLS negotiation, but fails during certificate validation with pfsense returning a "Certificate Expired" error to the server. The certificate is indeed expired.
I've tried toggling the seemingly related checkbox Verify HTTPS certificates when downloading alias URLs under System/Advanced/Firewall & NAT but that had no effect.
Bug #5604 makes reference to additional checks in the snapshot for TLS. It would be nice if the additional checks were accompanied by a checkbox to disable them.
Also, the target server supports TLSv1.2, but the connection is negotiated using the less secure TLSv1.0. This might need a separate bug report however.
Frame 19: 61 bytes on wire (488 bits), 61 bytes captured (488 bits) on interface 0 Ethernet II, Src: xx:xx:xx:xx:xx:xx, Dst: yy:yy:yy:yy:yy:yy Internet Protocol Version 4, Src: xx.xx.xx.xx, Dst: yy.yy.yy.yy Transmission Control Protocol, Src Port: 55822, Dst Port: 587, Seq: 229, Ack: 4199, Len: 7 Secure Sockets Layer TLSv1 Record Layer: Alert (Level: Fatal, Description: Certificate Expired) Content Type: Alert (21) Version: TLS 1.0 (0x0301) Length: 2 Alert Message Level: Fatal (2) Description: Certificate Expired (45)