TLS mail delivery fails when validating SSL Unified Communications Certificates (UCC) with an invalid or empty Common Name (CN) field

book

Article ID: 160946

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

This article contains supportability information with regards to Secure Sockets Layer (SSL) Unified Communications Certificates (sometimes called multi-domain SSL certificates) and email delivery using Symantec Messaging Gateway 10.5.x

Email delivery may fail to a non-local domain where TLS encryption delivery is required and verification of the certificate is enabled.

The Message Audit Log (MAL) shows the following error:  451 4.7.5 [internal] remote node ssl certificate not signed by a valid ca

Furthermore, a debug-level log of the Mail Transfer Agent (MTA) will show the following additional details:

2014 Jul  7 11:47:02 CEST (info) ecelerity: [25761] Subject Common Name not found 
2014 Jul  7 11:47:02 CEST (notice) ecelerity: [25761] ec_ssl_ctx 0xd15e9fc0 tls_verify_validca failed 

 

Resolution

Symantec Messaging Gateway requires that multi-domain (UCC, SAN) certificates contain a valid CN Subject field.

In order to resolve this behaviour, a new certificate should be generated with the CN field present and with valid data in it.

 

Additional Information

Below is an example of a (self-signed) multi-domain certificate satisfying all requirements for Messaging Gateway.

 

# openssl x509 -in cert.pem -noout -text

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            b4:9d:fc:17:47:8f:fe:4b

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=IE, ST=Ireland, L=Dublin, O=Symantec Ltd, OU=EMEA Support, CN=mx.mydomain.com/[email protected]

        Validity

            Not Before: Jul 24 15:17:40 2014 GMT

            Not After : Jul 24 15:17:40 2015 GMT

        Subject: C=IE, ST=Ireland, L=Dublin, O=Symantec Ltd, OU=EMEA Support, CN=mx.mydomain.com/[email protected]

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (2048 bit)

                Modulus (2048 bit):

                    00:dc:6a:c5:86:64:8a:07:36:e2:42:16:6a:53:f6:

                    91:0c:0f:4e:0a:f3:d1:cf:56:18:fc:75:7b:fd:81:

                    6f:8c:c2:14:29:d8:42:7d:2c:57:fe:d2:bb:c6:7a:

                    b0:cd:6a:00:9f:2c:26:52:40:a0:c2:df:b2:0c:b4:

                    36:f3:09:40:b6:c1:2e:86:0b:ea:bc:8a:d1:a4:12:

                    a6:75:15:86:d2:84:6b:9c:47:13:9e:a7:3e:5c:be:

                    42:aa:ae:f1:1f:91:61:33:fa:36:81:71:ff:eb:70:

                    b4:18:6c:c1:5f:bd:84:3d:f2:c5:d1:d4:9f:9b:2f:

                    4b:3e:f9:69:64:2d:ac:5a:0b:f1:09:3e:6f:d7:25:

                    e2:a0:8b:23:b5:9f:bc:80:a7:c7:dc:e8:ea:8c:94:

                    2a:3e:aa:34:d3:ad:9c:a0:cf:d7:ba:dd:ad:d8:5e:

                    bb:e5:58:c2:16:53:61:b3:84:0c:24:77:f5:d2:50:

                    37:58:bc:31:24:2e:f2:1c:70:3d:c1:cf:24:5e:1f:

                    da:ab:9d:21:76:2a:8a:08:e2:fd:51:91:0e:3d:19:

                    87:f1:40:11:39:69:42:d7:4e:62:1e:6a:82:f7:6d:

                    c6:89:44:6b:13:27:09:79:ba:a1:00:1e:dd:fb:29:

                    62:8b:76:80:dd:99:63:d5:ad:16:06:01:69:18:4f:

                    46:73

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            X509v3 Key Usage:

                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment

            X509v3 Extended Key Usage:

                TLS Web Server Authentication

            X509v3 Subject Alternative Name:

                DNS:host1.mydomain.com, DNS:host2.mydomain.com, DNS:host3.mydomain.com

    Signature Algorithm: sha1WithRSAEncryption

        60:0f:0a:16:b9:ce:b6:f4:3e:a0:1f:10:3a:50:8b:84:61:81:

        2b:22:e0:22:ac:0c:91:09:46:b2:9d:89:ea:23:3b:2e:1b:75:

        5b:4b:14:02:30:2b:26:dc:c2:90:2a:87:0e:ee:51:7b:78:12:

        08:dd:a7:fb:ad:18:0b:22:83:7a:15:8e:08:fd:e0:8f:f7:67:

        a6:a7:c0:a0:1c:81:0d:5f:bb:89:09:3b:63:37:5e:d8:0c:f0:

        0a:4b:6f:e1:ad:d5:93:4b:1b:ea:5b:db:9e:9a:01:7f:08:17:

        00:67:5c:e7:da:ae:91:d4:c2:66:4c:05:18:f6:c7:19:bf:80:

        b5:40:da:0b:fa:04:0f:2e:09:cb:a0:81:aa:4d:a2:7f:90:50:

        70:81:42:3e:39:2b:46:97:70:a9:4f:a8:80:9e:eb:85:b4:be:

        d8:9b:18:df:46:bc:37:69:e1:52:19:a6:65:ef:75:3b:5f:47:

        71:6d:84:b8:fb:2f:63:31:21:9c:bd:4d:ca:3a:69:59:2f:ad:

        c9:26:e5:27:d5:11:4b:18:5a:1b:a6:3a:63:4a:4b:22:67:af:

        58:d3:a2:12:12:bc:a6:1d:9d:35:90:67:df:34:89:18:7a:8a:

        62:56:a3:b1:3d:48:72:4a:86:ab:ed:70:b0:6c:ea:f0:7b:dc:

        f8:56:1c:1c

 


Applies To