[Dovecot] SSL_accept failed

[Timothy Martin]

Thanks for the input so far... I hear what you're saying about  
Mail.app but I provide email for a small group of friends and I need  
it to work with a variety of clients.

On Sep 9, 2006, at 4:45pm, OpenMacNews wrote:

>
> you haven't referenced that you've tested the certs, or viewed them in
> detail in mulberry/thunderbird or shell, for that matter ...
>
> if you haven't, again, i'd simply suggest that you do.
>

I did, but i wasn't sure what it meant. I got an actual signed cert  
from cacerts.org and this is what i get when i try to verify it.


> dovecot.cert: /CN=mail.design1st.org
> error 29 at 0 depth lookup:subject issuer mismatch
> /CN=mail.design1st.org
> error 29 at 0 depth lookup:subject issuer mismatch
> /CN=mail.design1st.org
> error 29 at 0 depth lookup:subject issuer mismatch
> OK

all my self-signed certs look like this:

> design1st.cert: /C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ 
> CN=design1st.org
> error 18 at 0 depth lookup:self signed certificate
> OK


This seemed more interesting, but also didn't help me:


> design1st:/usr/local/openssl/certs root# openssl s_client -connect  
> localhost:10943 -showcerts
> CONNECTED(00000003)
> depth=0 /CN=mail.design1st.org
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /CN=mail.design1st.org
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /CN=mail.design1st.org
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/CN=mail.design1st.org
>    i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing  
> Authority/emailAddress=support at cacert.org
> -----BEGIN CERTIFICATE-----
> MIIEWTCCAkGgAwIBAgIDAqhMMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv
> b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
> Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
> dEBjYWNlcnQub3JnMB4XDTA2MDkwOTIzNDYzMVoXDTA3MDMwODIzNDYzMVowHTEb
> MBkGA1UEAxMSbWFpbC5kZXNpZ24xc3Qub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GN
> ADCBiQKBgQDiRDQnEyIwW6u3digVgFZpYYJ8ME7tKDSkbrm0IeSbW4qOnQJ1vTZD
> pYQ5EZraScR1c1eGNEzSdAXy7oEPKspNxmaslL1C+hk6hYCvVhjdgG9QmUAwhoDM
> komhP+YG4bO/yC3m72JKgpUPUHCXmFoWzP16B6rCDX96UV03JgE8XQIDAQABo4HJ
> MIHGMAwGA1UdEwEB/wQCMAAwNAYDVR0lBC0wKwYIKwYBBQUHAwIGCCsGAQUFBwMB
> BglghkgBhvhCBAEGCisGAQQBgjcKAwMwCwYDVR0PBAQDAgWgMDIGCCsGAQUFBwEB
> BCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzA/BgNVHREE
> ODA2ghJtYWlsLmRlc2lnbjFzdC5vcmegIAYIKwYBBQUHCAWgFAwSbWFpbC5kZXNp
> Z24xc3Qub3JnMA0GCSqGSIb3DQEBBQUAA4ICAQB2WcnVYg8aH6Undaey/9u27EqJ
> F0JkEzIsW7St2eKvBdEFq3kRZYT1lbAT5rJlmBd+cy7HYPfcrd6vfZP7xrD4+gK8
> jzWikQAuAH7HtKNl5mDL7WDzJrsDj9xgOddQfo2hUp2vvvDBuMPFWTVwnTKqUogH
> /7AKdeJsDUtXrHMqfO24AbEaxnZG9g7VuaUFMM2KXiOLuwppqs3/V80YFqE2NQW1
> 1n8VGagDe4WqsSNLK8INjaX8txkzgTSoC52nSw8uSnRV2OqyJk+NFN9kyOeBxMnN
> YTZN7KnFJNM+eL4kQcgj3X/sBod1HkFiFc9luNhs6YcSFHYDyHKTCstCVPc3maVL
> E5cM6infxZyQCu/lMsIQhEtOBnT5xLe4RhYLERXORgu3eusoEm6KYj1eEkLpkv0O
> vtCoCjeMRgoe2nRna41O1y7LDy2AHTKym1XM5+Mmt/yx9fnyOJsSVeDUx5EOBrIE
> DRGSJ/5VOw3LZZ0rVzNW0MsJTd8Svv5L0a0/YJ7onm22y1HOOJCdkM0ENok7008F
> 2/+KGvCF6lATYMzhnRRtdXn13Ci1bUK/IdZvJoXE/gS7ajDOLZzlaJHiyIOvwRDM
> OPlbcMjdgnSDrkxf6KAzSEb23Tk3utdyZW+P8bRfGK4ObGBgk1j2nPaFQCQJPC/Z
> NRO4/+zsOSMOvnQ5CA==
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/CN=mail.design1st.org
> issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing  
> Authority/emailAddress=support at cacert.org
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1681 bytes and written 340 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : DHE-RSA-AES256-SHA
>     Session-ID:  
> 1CDF45682A2292396C55FDEC04BD51B0F50F91E0A3447A096588A8A184C60706
>     Session-ID-ctx:
>     Master-Key:  
> 85513BB8BEA91C65A9DD5F14F7264BE2E108A15C8F1B4F88711DE61BF912450BBE286C 
> 0008197298EC8A16CE8D11BF4B
>     Key-Arg   : None
>     Start Time: 1157850811
>     Timeout   : 300 (sec)
>     Verify return code: 21 (unable to verify the first certificate)
> ---
> * OK Dovecot ready.