Outbound TLS connections fail with certificate validation error

Article:TECH134036  |  Created: 2010-01-18  |  Updated: 2010-10-19  |  Article URL http://www.symantec.com/docs/TECH134036
NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.
Article Type
Technical Solution


Issue



Email messages to domains configured for TLS delivery are queued or delivered without encryption
 


Error



maillog:
2010 Jun 9 13:11:08 MDT (info) ecelerity: [16801] Subject Common Name does not match host name
2010 Jun 9 13:11:08 MDT (info) ecelerity: [16801] DNS Subject Alternative Name does not match host name
2010 Jun 9 13:11:08 MDT (notice) ecelerity: [16801] ec_ssl_ctx 0x952d8f08 tls_verify_validca failed

 


Cause



The Brightmail Gateway MTA is failing to verify some otherwise valid TLS certificates. In some configurations this will cause negotiation of the transport layer security to fail.


Solution



This issue has been addressed with the Brightmail Gateway 9.0.2 release.

For earlier versions, as a workaround, TLS delivery can be configured to ignore failures in certificate validation.

  1. Log in to the Control Center as an administrator
  2. Select Protocols->Domains
  3. For each domain that reqiures TLS delivery
    1. Edit the domain
    2. Under "Delivery" in "TLS Encryption" select "Require TLS encryption and don't verify certificate" or "Attempt TLS encryption"
    3. Save your changes

The mta will attempt to validate the certificate but ignore failures and continue to negotiate an encrypted connection. 
 


Supplemental Materials

SourceETrack
Value2073833

Legacy ID



2010061815413154


Article URL http://www.symantec.com/docs/TECH134036


Terms of use for this information are found in Legal Notices