[Dovecot] SSL_accept failed
Timothy Martin
instanttim at mac.com
Fri Sep 15 09:30:41 EEST 2006
I've successfully gone back and forth with using the same cert and
key that works with my mail client and an alternate mail server
(courier-imap) but seems to not work with with Dovecot/Apple Mail.
I've also tested with openssl s_client commands (shown below). So
given a particular cert/key the situation looks like this:
Courier + Apple Mail: works
Courier + Thunderbird: works
Dovecot + Apple Mail: doesn't work
Dovecot + Thunderbird: works
I found an old message on the mailing list that basically just said
that Apple Mail isn't working with IMAP-SSL support on dovecot, but
that seems like it must be a bug that hopefully would be fixed (if it
hasn't been already).
Does anyone else have info or experience with that?
.tim
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/
CN=mail.design1st.org/emailAddress=d1st-admin at design1st.org
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/
CN=mail.design1st.org/emailAddress=d1st-admin at design1st.org
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/
CN=mail.design1st.org/emailAddress=d1st-admin at design1st.org
i:/C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/
CN=mail.design1st.org/emailAddress=d1st-admin at design1st.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDoTCCAwqgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBmDELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEaMBgGA1UE
ChMRRGVzaWduMXN0IERvdCBPcmcxGzAZBgNVBAMTEm1haWwuZGVzaWduMXN0Lm9y
ZzEnMCUGCSqGSIb3DQEJARYYZDFzdC1hZG1pbkBkZXNpZ24xc3Qub3JnMB4XDTA1
MTEwNTA2NDIwNFoXDTMzMDMyMjA2NDIwNFowgZgxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxGjAYBgNVBAoTEURl
c2lnbjFzdCBEb3QgT3JnMRswGQYDVQQDExJtYWlsLmRlc2lnbjFzdC5vcmcxJzAl
BgkqhkiG9w0BCQEWGGQxc3QtYWRtaW5AZGVzaWduMXN0Lm9yZzCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAueMIqNJGCB9QIZXBZw+17iT06feMdyzi0p7rB5xt
3nz/nTSMRFTIzmabN0tR8wFJ1oA3TlHFKQ51x08ZSUPLHmVo61xZIn392mwDL9Zn
ozh3FreVXkKHMhANvwTV2kqMcOJzeyNgENO0YSl6iv1MydMAM2OGbC6FdHAz6dHG
4GkCAwEAAaOB+DCB9TAdBgNVHQ4EFgQUF985KOsukGEGsY1eyBgWouDOVxIwgcUG
A1UdIwSBvTCBuoAUF985KOsukGEGsY1eyBgWouDOVxKhgZ6kgZswgZgxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUx
GjAYBgNVBAoTEURlc2lnbjFzdCBEb3QgT3JnMRswGQYDVQQDExJtYWlsLmRlc2ln
bjFzdC5vcmcxJzAlBgkqhkiG9w0BCQEWGGQxc3QtYWRtaW5AZGVzaWduMXN0Lm9y
Z4IBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBABwOsxpHng49aC9u
eRe1a3wn5tyZDPq5YQqpACHvz5JRX54y6Dh+PB2Y0Qim6/Ihf2r91D/WnFwULHvX
gllx6L4DnoB5Zq8+P+4B8m27VqgzaJAeIawXm0hXAl7E8UTUCXFCCUvuHmzVqHKl
dtAuA5z38boKKywg6U1HUhbuAmd8
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/
CN=mail.design1st.org/emailAddress=d1st-admin at design1st.org
issuer=/C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/
CN=mail.design1st.org/emailAddress=d1st-admin at design1st.org
---
No client certificate CA names sent
---
SSL handshake has read 1497 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
24AA32335F51E58F94067A09F44DEF049D7B4588490046E04F9C31E91D1BF006
Session-ID-ctx:
Master-Key:
9CFE3120D1363C82003E74B01CFAAA22224BE44CCDC6915F743A9CB3593240CCFDE43795
FCF2A1E03242C9282B28CB3F
Key-Arg : None
Start Time: 1158300051
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
* OK Dovecot ready.
On Sep 9, 2006, at 9:43pm, OpenMacNews wrote:
>
>
> given what i'm seeing below, i'm going to suggest that you step-by-
> step
> it 1st with your own, home-grown CA cert ... just to see what's
> happening
>
>>> dovecot.cert: /CN=mail.design1st.org
>>> error 29 at 0 depth lookup:subject issuer mismatch
>>> /CN=mail.design1st.org
>>> error 29 at 0 depth lookup:subject issuer mismatch
>>> /CN=mail.design1st.org
>>> error 29 at 0 depth lookup:subject issuer mismatch
>>> OK
>
>> all my self-signed certs look like this:
>>
>>> design1st.cert: /C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/
>>> CN=design1st.org
>>> error 18 at 0 depth lookup:self signed certificate
>>> OK
>>
>>
>> This seemed more interesting, but also didn't help me:
>>
>>
>>> design1st:/usr/local/openssl/certs root# openssl s_client -connect
>>> localhost:10943 -showcerts
>>> CONNECTED(00000003)
>>> depth=0 /CN=mail.design1st.org
>>> verify error:num=20:unable to get local issuer certificate
>>> verify return:1
>>> depth=0 /CN=mail.design1st.org
>>> verify error:num=27:certificate not trusted
>>> verify return:1
>>> depth=0 /CN=mail.design1st.org
>>> verify error:num=21:unable to verify the first certificate
>>> verify return:1
>>> ---
>>> Certificate chain
>>> 0 s:/CN=mail.design1st.org
>>> i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
>>> Authority/emailAddress=support at cacert.org
>>> -----BEGIN CERTIFICATE-----
> snip
>>> -----END CERTIFICATE-----
>>> ---
>>> Server certificate
>>> subject=/CN=mail.design1st.org
>>> issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
>>> Authority/emailAddress=support at cacert.org
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 1681 bytes and written 340 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>>> Server public key is 1024 bit
>>> SSL-Session:
>>> Protocol : TLSv1
>>> Cipher : DHE-RSA-AES256-SHA
>>> Session-ID:
>>> 1CDF45682A2292396C55FDEC04BD51B0F50F91E0A3447A096588A8A184C60706
>>> Session-ID-ctx:
>>> Master-Key:
>>> 85513BB8BEA91C65A9DD5F14F7264BE2E108A15C8F1B4F88711DE61BF912450BBE28
>>> 6C 0008197298EC8A16CE8D11BF4B
>>> Key-Arg : None
>>> Start Time: 1157850811
>>> Timeout : 300 (sec)
>>> Verify return code: 21 (unable to verify the first certificate)
>>> ---
>>> * OK Dovecot ready.
>
>
> 1st, take each of the errors and google on it ... there's lots of info
> out there.
>
> unfortunately, you're gonna have to match what you find with your
> particular circumstance(s).
>
> that said ... lemme guess at something here:
>
> have you IMPORTED the cert into mail.app?
>
> why do i ask? cref here:
>
> Mac OS X Mail.app (native eMail application) for Signing / Encrypting
> http://wiki.cacert.org/wiki/EmailCertificates
> "these steps were needed because Apple does not ship with the cacert
> Root CA Certificate"
>
> richard
> - --
>
> /"\
> \ / ASCII Ribbon Campaign
> X against HTML email, vCards
> / \ & micro$oft attachments
>
> [GPG] OpenMacNews at gmail dot com
> fingerprint: 50C9 1C46 2F8F DE42 2EDB D460 95F7 DDBD 3671 08C6
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
>
> iEYEARECAAYFAkUDl+0ACgkQlffdvTZxCMa0EwCgsIUowsMk6yLdy4TOb4ZSgAkP
> pwEAnRKE48MFdgacepl8qTQc6VxzWSI2
> =pFSx
> -----END PGP SIGNATURE-----
>
More information about the dovecot
mailing list