From c201138a43ab808f91b2ac420c5021eac69c2235 Mon Sep 17 00:00:00 2001
From: "Jean-Marc Pigeon (Delson)" <jmp@safe.ca>
Date: Fri, 18 Jul 2025 21:05:00 -0400
Subject: [PATCH] Better understanding of CA_ROOT configuration

---
 Makefile               | 62 ++++++++++++++++++++++--------------------
 certs/root-safe_CA.pem | 31 +++++++++++++++++++++
 conf/mailleur.conf     |  4 +--
 conf/mailleur.conf.dvl |  4 +--
 lib/lvleml.c           |  2 +-
 5 files changed, 68 insertions(+), 35 deletions(-)

diff --git a/Makefile b/Makefile
index 52a8d54..64b1974 100644
--- a/Makefile
+++ b/Makefile
@@ -90,14 +90,14 @@ valfeed	:  debug			#valgring of emlrcvr
 #testing TLS connection
 tlsrcvr	:	
 		@ clear
-		 openssl s_client			\
-			-trace				\
-			-crlf				\
-			-status				\
-			-CAfile certs/root-safe_CA.pem	\
-			-cert certs/localhost-cert.pem	\
-			-key certs/localhost-key.pem	\
-			-starttls smtp			\
+		 openssl s_client					\
+			-trace						\
+			-crlf						\
+			-status						\
+			-CAfile /etc/pki/tls/make-ca/ca-bundle.crt	\
+			-cert certs/localhost-cert.pem			\
+			-key certs/localhost-key.pem			\
+			-starttls smtp					\
 			-connect mailpostg.example.com:25
 #			-connect smtp1.example.com:25
 #			-connect courriel.colba.net:25
@@ -106,25 +106,25 @@ tlsrcvr	:
 
 tlsmx1	:
 		@ clear
-		 openssl s_client			\
-			-trace				\
-			-crlf				\
-			-status				\
-			-CAfile certs/root-safe_CA.pem	\
-			-cert certs/localhost-cert.pem	\
-			-key certs/localhost-key.pem	\
-			-starttls smtp			\
+		 openssl s_client					\
+			-trace						\
+			-crlf						\
+			-status						\
+			-CAfile /etc/pki/tls/make-ca/ca-bundle.crt	\
+			-cert certs/localhost-cert.pem			\
+			-key certs/localhost-key.pem			\
+			-starttls smtp					\
 			-connect mx1.free.fr:25
 
 go465	:
 		@ clear
-		@ openssl s_client			\
-			-crlf				\
-			--showcerts			\
-			-key certs/localhost-key.pem	\
+		@ openssl s_client					\
+			-crlf						\
+			--showcerts					\
+			-key certs/localhost-key.pem			\
 			-cert_chain certs/localhost-chain-cert.pem	\
-			-CAfile certs/root-safe_CA.pem	\
-			-tls1_2				\
+			-CAfile /etc/pki/tls/make-ca/ca-bundle.crt	\
+			-tls1_2						\
 			-connect $(TESTIP):1065
 
 #			-status			
@@ -141,20 +141,22 @@ go465	:
 #testing TLS with google
 tlsref:	
 		@ clear
-		@ openssl s_client			\
-			-quiet				\
-			-crlf				\
-			-CAfile certs/root-safe_CA.pem	\
-			-cert certs/localhost-cert.pem	\
-			-key certs/localhost-key.pem	\
-			-starttls smtp			\
-			-connect tar1.osukiss.org:25
+		@ openssl s_client					\
+			-quiet						\
+			-crlf						\
+			-CAfile /etc/pki/tls/make-ca/ca-bundle.crt	\
+			-cert certs/localhost-cert.pem			\
+			-key certs/localhost-key.pem			\
+			-starttls smtp					\
+			-connect smtp.google.com:25
 
 #			-connect mx2.free.fr:25
 #			-connect mailprod1.safe.ca:587
 #			-connect tar1.osukiss.org:25
+#			-connect smtp.google.com:25
 #			-connect courriel.colba.net:25
 #			-connect courriel.colba.net:587
+#			-connect mailmysql.example.com:25
 #			-connect $(TESTSRV):$(TESTPORT)	
 
 #--------------------------------------------------------------------
diff --git a/certs/root-safe_CA.pem b/certs/root-safe_CA.pem
index 5f503cb..3d0f12d 100644
--- a/certs/root-safe_CA.pem
+++ b/certs/root-safe_CA.pem
@@ -56,3 +56,34 @@ BQUHAgEWJ2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuc2FmZS5jYS9yZXBvc2l0b3J5LzAI
 BgZngQwBAgEwCgYIKoZIzj0EAwMDSAAwRQIgUEMNNezsU248dE57Uz/fLdRdiioL
 eiHEbpMEcLW1dCoCIQCmbpV3cp0OvPAVX7cCzOGssT31ppkBIzA6dgNr7qyS+g==
 -----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----
diff --git a/conf/mailleur.conf b/conf/mailleur.conf
index c6e560c..78565a5 100644
--- a/conf/mailleur.conf
+++ b/conf/mailleur.conf
@@ -33,13 +33,13 @@ SMTPPORTS="|||5,smtps||465|3,smtp||587|2"
 #SSL_SECURITY=2
 #------------------------------------------------
 #Defining SERVER mode Certificate data
-CA_ROOT_SRV="/etc/pki/mailleur/root-safe_CA.pem"
+CA_ROOT_SRV="/etc/pki/tls/make-ca/ca-bundle.crt"
 CA_CERT_SRV="/etc/pki/mailleur/mailleur-cert.pem"
 CA_KEY_SRV="/etc/pki/mailleur/mailleur-key.pem"
 CA_VERIFY_SRV=0	#to check PEER/client remote certificate
 #------------------------------------------------
 #Defining CLIENT mode Certificate data
-CA_ROOT_CLT="/etc/pki/mailleur/root-safe_CA.pem"
+CA_ROOT_SRV="/etc/pki/tls/make-ca/ca-bundle.crt"
 CA_CERT_CLT="/etc/pki/mailleur/mailleur-cert.pem"
 CA_KEY_CLT="/etc/pki/mailleur/mailleur-key.pem"
 CA_VERIFY_CLT=0	#to check PEER/server remote certificate
diff --git a/conf/mailleur.conf.dvl b/conf/mailleur.conf.dvl
index 65b0be2..0389242 100644
--- a/conf/mailleur.conf.dvl
+++ b/conf/mailleur.conf.dvl
@@ -32,13 +32,13 @@ REALM="mailleur-email"
 #SSL_SECURITY=3
 #------------------------------------------------
 #Defining SERVER mode Certificate data
-CA_ROOT_SRV="./certs/root-safe_CA.pem"
+CA_ROOT_SRV="/etc/pki/tls/make-ca/ca-bundle.crt"
 CA_CERT_SRV="./certs/mailleur_server-chain-cert_x509.pem"
 CA_KEY_SRV="./certs/mailleur_server-key.pem"
 CA_VERIFY_SRV=0	#to check PEER/client remote certificate
 #------------------------------------------------
 #Defining CLIENT mode Certificate data
-CA_ROOT_CLT="./certs/root-safe_CA.pem"
+CA_ROOT_CLT="/etc/pki/tls/make-ca/ca-bundle.crt"
 CA_CERT_CLT="./certs/localhost-chain-cert.pem"
 CA_KEY_CLT="./certs/localhost-key.pem"
 CA_VERIFY_CLT=0	#to check PEER/server remote certificate
diff --git a/lib/lvleml.c b/lib/lvleml.c
index 90b6d3a..99deaa3 100644
--- a/lib/lvleml.c
+++ b/lib/lvleml.c
@@ -2284,7 +2284,7 @@ while (proceed==true) {
         status=-3;
         break;
       }
-    (void) log_fprintlog(contact->logptr,false,"Contact terminated; "
+    (void) log_fprintlog(contact->logptr,true,"Contact terminated; "
                                                "condition=<%s>",str);
     //(void) rou_alert(0,"%s exit status='%d'",OPEP,status);
     break;              //no need to go further
-- 
2.47.3