[Dovecot] SSL_accept failed

Timothy Martin instanttim at mac.com
Fri Sep 15 09:30:41 EEST 2006 

I've successfully gone back and forth with using the same cert and  
key that works with my mail client and an alternate mail server  
(courier-imap) but seems to not work with with Dovecot/Apple Mail.  
I've also tested with openssl s_client commands (shown below). So  
given a particular cert/key the situation looks like this:
	Courier + Apple Mail:	works
	Courier + Thunderbird: works
	Dovecot + Apple Mail: doesn't work
	Dovecot + Thunderbird: works

I found an old message on the mailing list that basically just said  
that Apple Mail isn't working with IMAP-SSL support on dovecot, but  
that seems like it must be a bug that hopefully would be fixed (if it  
hasn't been already).

Does anyone else have info or experience with that?

.tim


CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ 
CN=mail.design1st.org/emailAddress=d1st-admin at design1st.org
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ 
CN=mail.design1st.org/emailAddress=d1st-admin at design1st.org
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ 
CN=mail.design1st.org/emailAddress=d1st-admin at design1st.org
    i:/C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ 
CN=mail.design1st.org/emailAddress=d1st-admin at design1st.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDoTCCAwqgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBmDELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEaMBgGA1UE
ChMRRGVzaWduMXN0IERvdCBPcmcxGzAZBgNVBAMTEm1haWwuZGVzaWduMXN0Lm9y
ZzEnMCUGCSqGSIb3DQEJARYYZDFzdC1hZG1pbkBkZXNpZ24xc3Qub3JnMB4XDTA1
MTEwNTA2NDIwNFoXDTMzMDMyMjA2NDIwNFowgZgxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxGjAYBgNVBAoTEURl
c2lnbjFzdCBEb3QgT3JnMRswGQYDVQQDExJtYWlsLmRlc2lnbjFzdC5vcmcxJzAl
BgkqhkiG9w0BCQEWGGQxc3QtYWRtaW5AZGVzaWduMXN0Lm9yZzCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAueMIqNJGCB9QIZXBZw+17iT06feMdyzi0p7rB5xt
3nz/nTSMRFTIzmabN0tR8wFJ1oA3TlHFKQ51x08ZSUPLHmVo61xZIn392mwDL9Zn
ozh3FreVXkKHMhANvwTV2kqMcOJzeyNgENO0YSl6iv1MydMAM2OGbC6FdHAz6dHG
4GkCAwEAAaOB+DCB9TAdBgNVHQ4EFgQUF985KOsukGEGsY1eyBgWouDOVxIwgcUG
A1UdIwSBvTCBuoAUF985KOsukGEGsY1eyBgWouDOVxKhgZ6kgZswgZgxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUx
GjAYBgNVBAoTEURlc2lnbjFzdCBEb3QgT3JnMRswGQYDVQQDExJtYWlsLmRlc2ln
bjFzdC5vcmcxJzAlBgkqhkiG9w0BCQEWGGQxc3QtYWRtaW5AZGVzaWduMXN0Lm9y
Z4IBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBABwOsxpHng49aC9u
eRe1a3wn5tyZDPq5YQqpACHvz5JRX54y6Dh+PB2Y0Qim6/Ihf2r91D/WnFwULHvX
gllx6L4DnoB5Zq8+P+4B8m27VqgzaJAeIawXm0hXAl7E8UTUCXFCCUvuHmzVqHKl
dtAuA5z38boKKywg6U1HUhbuAmd8
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ 
CN=mail.design1st.org/emailAddress=d1st-admin at design1st.org
issuer=/C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ 
CN=mail.design1st.org/emailAddress=d1st-admin at design1st.org
---
No client certificate CA names sent
---
SSL handshake has read 1497 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DHE-RSA-AES256-SHA
     Session-ID:  
24AA32335F51E58F94067A09F44DEF049D7B4588490046E04F9C31E91D1BF006
     Session-ID-ctx:
     Master-Key:  
9CFE3120D1363C82003E74B01CFAAA22224BE44CCDC6915F743A9CB3593240CCFDE43795 
FCF2A1E03242C9282B28CB3F
     Key-Arg   : None
     Start Time: 1158300051
     Timeout   : 300 (sec)
     Verify return code: 18 (self signed certificate)
---
* OK Dovecot ready.




On Sep 9, 2006, at 9:43pm, OpenMacNews wrote:

>
>
> given what i'm seeing below, i'm going to suggest that you step-by- 
> step
> it 1st with your own, home-grown CA cert ... just to see what's
> happening
>
>>> dovecot.cert: /CN=mail.design1st.org
>>> error 29 at 0 depth lookup:subject issuer mismatch
>>> /CN=mail.design1st.org
>>> error 29 at 0 depth lookup:subject issuer mismatch
>>> /CN=mail.design1st.org
>>> error 29 at 0 depth lookup:subject issuer mismatch
>>> OK
>
>> all my self-signed certs look like this:
>>
>>> design1st.cert: /C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/
>>> CN=design1st.org
>>> error 18 at 0 depth lookup:self signed certificate
>>> OK
>>
>>
>> This seemed more interesting, but also didn't help me:
>>
>>
>>> design1st:/usr/local/openssl/certs root# openssl s_client -connect
>>> localhost:10943 -showcerts
>>> CONNECTED(00000003)
>>> depth=0 /CN=mail.design1st.org
>>> verify error:num=20:unable to get local issuer certificate
>>> verify return:1
>>> depth=0 /CN=mail.design1st.org
>>> verify error:num=27:certificate not trusted
>>> verify return:1
>>> depth=0 /CN=mail.design1st.org
>>> verify error:num=21:unable to verify the first certificate
>>> verify return:1
>>> ---
>>> Certificate chain
>>> 0 s:/CN=mail.design1st.org
>>>    i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
>>> Authority/emailAddress=support at cacert.org
>>> -----BEGIN CERTIFICATE-----
> snip
>>> -----END CERTIFICATE-----
>>> ---
>>> Server certificate
>>> subject=/CN=mail.design1st.org
>>> issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
>>> Authority/emailAddress=support at cacert.org
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 1681 bytes and written 340 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>>> Server public key is 1024 bit
>>> SSL-Session:
>>>     Protocol  : TLSv1
>>>     Cipher    : DHE-RSA-AES256-SHA
>>>     Session-ID:
>>> 1CDF45682A2292396C55FDEC04BD51B0F50F91E0A3447A096588A8A184C60706
>>>     Session-ID-ctx:
>>>     Master-Key:
>>> 85513BB8BEA91C65A9DD5F14F7264BE2E108A15C8F1B4F88711DE61BF912450BBE28
>>> 6C  0008197298EC8A16CE8D11BF4B
>>>     Key-Arg   : None
>>>     Start Time: 1157850811
>>>     Timeout   : 300 (sec)
>>>     Verify return code: 21 (unable to verify the first certificate)
>>> ---
>>> * OK Dovecot ready.
>
>
> 1st, take each of the errors and google on it ... there's lots of info
> out there.
>
> unfortunately, you're gonna have to match what you find with your
> particular circumstance(s).
>
> that said ... lemme guess at something here:
>
> have you IMPORTED the cert into mail.app?
>
> why do i ask?  cref here:
>
> Mac OS X Mail.app (native eMail application) for Signing / Encrypting
>   http://wiki.cacert.org/wiki/EmailCertificates
>   "these steps were needed because Apple does not ship with the cacert
> Root CA Certificate"
>
> richard
> - --
>
> /"\
> \ /  ASCII Ribbon Campaign
>  X   against HTML email, vCards
> / \  & micro$oft attachments
>
> [GPG] OpenMacNews at gmail dot com
> fingerprint: 50C9 1C46 2F8F DE42 2EDB  D460 95F7 DDBD 3671 08C6
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
>
> iEYEARECAAYFAkUDl+0ACgkQlffdvTZxCMa0EwCgsIUowsMk6yLdy4TOb4ZSgAkP
> pwEAnRKE48MFdgacepl8qTQc6VxzWSI2
> =pFSx
> -----END PGP SIGNATURE-----
>

More information about the dovecot mailing list