Project

General

Profile

Bug #7106

TLS SMTP notification messages fail with expired certificate

Added by John Silva over 2 years ago. Updated about 1 month ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Notifications
Target version:
-
Start date:
01/09/2017
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.3
Affected Architecture:

Description

Am using pfsense 2.3.3 development snapshot 2017-01-08.

When configuring SMTP notifications using STARTTLS over tcp port 587, test messages fail with "Error: could not start TLS connection encryption protocol".

A quick trace of the connection (details below) shows the connection proceeds normally through TLS negotiation, but fails during certificate validation with pfsense returning a "Certificate Expired" error to the server. The certificate is indeed expired.

I've tried toggling the seemingly related checkbox Verify HTTPS certificates when downloading alias URLs under System/Advanced/Firewall & NAT but that had no effect.

Bug #5604 makes reference to additional checks in the snapshot for TLS. It would be nice if the additional checks were accompanied by a checkbox to disable them.

Also, the target server supports TLSv1.2, but the connection is negotiated using the less secure TLSv1.0. This might need a separate bug report however.

Frame 19: 61 bytes on wire (488 bits), 61 bytes captured (488 bits) on interface 0
Ethernet II, Src: xx:xx:xx:xx:xx:xx, Dst: yy:yy:yy:yy:yy:yy
Internet Protocol Version 4, Src: xx.xx.xx.xx, Dst: yy.yy.yy.yy
Transmission Control Protocol, Src Port: 55822, Dst Port: 587, Seq: 229, Ack: 4199, Len: 7
Secure Sockets Layer
    TLSv1 Record Layer: Alert (Level: Fatal, Description: Certificate Expired)
        Content Type: Alert (21)
        Version: TLS 1.0 (0x0301)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Certificate Expired (45)

History

#1 Updated by Jim Pingle about 1 month ago

  • Status changed from New to Not a Bug

There are options to ignore invalid certificates, but honestly it did the right thing here. If an expired certificate was offered by the server, it should be rejected.

Also available in: Atom PDF