pfSense

Am using pfsense 2.3.3 development snapshot 2017-01-08.

When configuring SMTP notifications using STARTTLS over tcp port 587, test messages fail with "Error: could not start TLS connection encryption protocol".

A quick trace of the connection (details below) shows the connection proceeds normally through TLS negotiation, but fails during certificate validation with pfsense returning a "Certificate Expired" error to the server. The certificate is indeed expired.

I've tried toggling the seemingly related checkbox Verify HTTPS certificates when downloading alias URLs under System/Advanced/Firewall & NAT but that had no effect.

Bug #5604 makes reference to additional checks in the snapshot for TLS. It would be nice if the additional checks were accompanied by a checkbox to disable them.

Also, the target server supports TLSv1.2, but the connection is negotiated using the less secure TLSv1.0. This might need a separate bug report however.

Frame 19: 61 bytes on wire (488 bits), 61 bytes captured (488 bits) on interface 0
Ethernet II, Src: xx:xx:xx:xx:xx:xx, Dst: yy:yy:yy:yy:yy:yy
Internet Protocol Version 4, Src: xx.xx.xx.xx, Dst: yy.yy.yy.yy
Transmission Control Protocol, Src Port: 55822, Dst Port: 587, Seq: 229, Ack: 4199, Len: 7
Secure Sockets Layer
    TLSv1 Record Layer: Alert (Level: Fatal, Description: Certificate Expired)
        Content Type: Alert (21)
        Version: TLS 1.0 (0x0301)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Certificate Expired (45)