W dniu 2020-06-02 o 15:40, Lemat pisze:
po EHLO daje STARTTLS i czeka na dalsze komendy
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU =
www.digicert.com, CN = DigiCert
High Assu rance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU =
www.digicert.com, CN = DigiCert
SHA2 Exte nded Validation Server CA
verify return:1
depth=0 businessCategory = Private Organization,
1.3.6.1.4.1.311.60.2.1.3 = PL,
serialNumber = 0000014843, C = PL, ST = Mazowieckie, L = Warszawa, O =
Bank Pols ka Kasa Opieki S.A., OU =
Departament Bezpiecze\C5\84stwa Banku, CN = black.peka
o.com.pl
verify return:1
---
Certificate chain
0 s:/businessCategory=Private
Organization/1.3.6.1.4.1.311.60.2.1.3=PL/serialNu
mber=0000014843/C=PL/ST=Mazowieckie/L=Warszawa/O=Bank Polska
Kasa Opieki S.A./OU =Departament
Bezpiecze\xC5\x84stwa Banku/CN=
black.pekao.com.pl
i:/C=US/O=DigiCert Inc/OU=
www.digicert.com/CN=DigiCert SHA2 Extended
Validati on Server CA
1 s:/C=US/O=DigiCert Inc/OU=
www.digicert.com/CN=DigiCert SHA2 Extended
Validati on Server CA
i:/C=US/O=DigiCert Inc/OU=
www.digicert.com/CN=DigiCert High
Assurance EV Root
CA
2 s:/C=US/O=DigiCert Inc/OU=
www.digicert.com/CN=DigiCert High
Assurance EV Root CA
i:/C=US/O=DigiCert Inc/OU=
www.digicert.com/CN=DigiCert High
Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIG+TCCBeGgAwIBAgIQBYYic0A6D9HWlWALMbt31zANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTIwMDUxOTAwMDAwMFoXDTIxMDUyNTEy
MDAwMFowge8xHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlBMMRMwEQYDVQQFEwowMDAwMDE0ODQzMQswCQYDVQQGEwJQTDEU
MBIGA1UECBMLTWF6b3dpZWNraWUxETAPBgNVBAcTCFdhcnN6YXdhMSUwIwYDVQQK
ExxCYW5rIFBvbHNrYSBLYXNhIE9waWVraSBTLkEuMSowKAYDVQQLDCFEZXBhcnRh
bWVudCBCZXpwaWVjemXFhHN0d2EgQmFua3UxGzAZBgNVBAMTEmJsYWNrLnBla2Fv
LmNvbS5wbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALYZbDbaTQP5
7oj3ZQzxZkQ1dAZkY8lRNqRxxvupNT/xT8DIV4PncbUF0OKMLJoUI+hFB1Y3MIx5
upgWxC85tCLXumM/Q/mf50XECiWoP1jtxJWFtmtB3rKO409V5cggK7y3OTA7rja+
MZDVEoN0UaK6sNxPuYlCIn4oaDlIxU1qjoT2gyAUeOLyTgB0TiDi5g04o7o5kDum
85LoN/DY0hnF+Ip10uyQriKD5n0jpPg6kzLTY5+AJvVCsBcFn8p4IwhckUMuUSUL
DEh93trgoG1c/IrTZwu2S3b7L4wtzsVOyOtYYvjditk2yEzauEesWu1NceO3eSfy
zCT3RcsHaT0CAwEAAaOCAwgwggMEMB8GA1UdIwQYMBaAFD3TUKXWoK3u80pgCmXT
IdT4+NYPMB0GA1UdDgQWBBRFP40q3+TFmxKbfDZYRYisHFWjPzAwBgNVHREEKTAn
ghJibGFjay5wZWthby5jb20ucGyCEWJsdWUucGVrYW8uY29tLnBsMA4GA1UdDwEB
/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4w
bDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItZXYtc2VydmVy
LWcyLmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItZXYt
c2VydmVyLWcyLmNybDBLBgNVHSAERDBCMDcGCWCGSAGG/WwCATAqMCgGCCsGAQUF
BwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAcGBWeBDAEBMIGIBggr
BgEFBQcBAQR8MHowJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNv
bTBSBggrBgEFBQcwAoZGaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lD
ZXJ0U0hBMkV4dGVuZGVkVmFsaWRhdGlvblNlcnZlckNBLmNydDAJBgNVHRMEAjAA
MIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcA9lyUL9F3MCIUVBgIMJRWjuNNExkz
v98MLyALzE7xZOMAAAFyLA01uwAABAMASDBGAiEAj3K70Hvpx+tz2GNNCFMnle2H
ZXNp6A1cCpn7s7Tp7LECIQCBCWtH2xadR9ZQROyM1Qd9aIau/5NeAGkGuDY7oz36
RgB2AFzcQ5L+5qtFRLFemtRW5hA3+9X6R9yhc5SyXub2xw7KAAABciwNNdoAAAQD
AEcwRQIhAIb/pV2pDypC9+LiZZ8c+Wt3jBSYWYADWSXr/E1N0V1zAiA1NZgQDhC+
G3wib5kgDq3eifMMhx9OtASLM/5DaUFADDANBgkqhkiG9w0BAQsFAAOCAQEAGQtB
dj/JWCW//3ySVxiGhX0A1VCSnI75xjyXoHghUUb+vCwwjGJcKdTV4OfhAQ4vyeam
wi35Q+uE1DA+Q1r17ZCMuQ9EjXJGv0xPQdqiqHnaKDQbIIx+K0iTvRBQOXVU7NS8
J5W19sdHCHETv4nP0JwD2weoGMmUz9ldKGkivQ2v+YYkVjJZUJvNJEAkqesfBvLy
esq7uHYsR6Lyq/f9KiSz6lrUcrijA6Vif6qZwd040+CRkfuar1j2GylCfqmuAUgc
LI5aFWkXp+PyMYDQrDlIjE620pmQPOiKW+860o2coDhdGOBtZHzgwF+qrwzKk3jx
HXT1hQgptZY5S8M4zQ==
-----END CERTIFICATE-----
subject=/businessCategory=Private
Organization/1.3.6.1.4.1.311.60.2.1.3=PL/seria
lNumber=0000014843/C=PL/ST=Mazowieckie/L=Warszawa/O=Bank Polska
Kasa Opieki S.A. /OU=Departament
Bezpiecze\xC5\x84stwa Banku/CN=
black.pekao.com.pl
issuer=/C=US/O=DigiCert Inc/OU=
www.digicert.com/CN=DigiCert SHA2
Extended Valida tion Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4751 bytes and written 408 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
0908CE15C4FD548D54C2DADE9BDDFD779DE328C7FDF9790CA13179D836BC5CA5
Session-ID-ctx:
Master-Key:
429BCEBD192980BE928842B9F18DDA4ED408EAA71A03F8FDA550564EA2E5A59D
A7555CED63A3CEBA58C1703FAB92E640
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e3 5a 32 0c 38 72 e1 ad-d6 0c dc 31 e1 9f 33 0b
.Z2.8r.....1..3.
0010 - b3 77 d6 a2 37 0a 98 88-b6 6a 11 a1 b0 a3 09 2c
.w..7....j.....,
0020 - 09 66 f3 08 fb 82 31 78-ce 6f 15 a0 1d ca f2 85
.f....1x.o......
0030 - 8e 44 b3 61 09 4f 87 f0-30 7c b4 d3 8a e6 be 39
.D.a.O..0|.....9
0040 - 47 ec 5e f8 36 bc ea 5e-7f 60 c9 13 ca a2 64 c6
G.^.6..^.`....d.
0050 - 3c ad 5f 5c fd ef 93 9b-0f 11 d2 e2 7d ba 21 e1
<._\........}.!.
0060 - e5 59 3c e8 90 bb cc e9-00 73 c7 8c 1d cc 8f b1
.Y<......s......
0070 - 2a b2 4b 08 08 2c 28 91-f1 b9 25 6b 9a a5 17 80
*.K..,(...%k....
0080 - a2 e5 47 8d 55 37 bd a0-83 c6 1e f9 ca 09 12 de
..G.U7..........
0090 - d4 7c e5 43 3c de df 48-5d e6 7d 82 58 52 c7 10
.|.C<..H].}.XR..
Start Time: 1591122561
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
To dały oba podejścia.
Serwer PKO łączy się po ipv6. Specjalnie enablowałem z tego powodu ipv6
z polityką DROP i dla nich dałem ACCEPT w ip6tables.
Wcześniej nie było żadnych problemów przez długi czas. Jak kilka dni
temu zorientowaliśmy się, że ważne poczty nie doszły i siedziały w queue
to przyjrzałęm się połączeniom i zobaczyłem, że łączy się po ipv6, więc
enablowałem ipv6 i zrobiłem dla niego furtke, ale nic to nie dało. po
jakichś 2 dniach nagle część poczt poszła, ale na drugi dzień znowu
kicha - to samo.
Z wysyłką do innych odbiorców póki, co nie ma problemów
LFC