[Dovecot] using signed certificates for TLS/SSL

Leonardo Rodrigues leolistas at solutti.com.br
Thu Feb 18 15:47:03 EET 2010 

     Hi,

     I have, in one customer, a web server running on a Verisign-signed 
certificate SSL certificate. Everything works fine, IE and Firefox 
connects on https without asking anything, which usually happens on 
self-signed certificates. I'm trying to use that certificate on dovecot, 
but clients (Thunderbird basically) keeps saying the certificate is not 
valid.

     yes i'm using, when configuring Thunderbird, the same CN that was 
signed by Verisign for the web usage

     i've enabled verbose_ssl and got when thunderbird tries to connect:

Feb 18 12:32:02 correio dovecot: imap-login: Disconnected (no auth 
attempts): rip=201.86.xxx.xxx, lip=192.168.1.2, TLS handshaking: 
SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 
alert unknown ca

     unknown CA ???

     is that Thunderbird that is not recognizing the Verisign-signed 
certificate ? Do i need to, somehow, install some Verisign CA 
certificate in dovecot.conf ?

     when using a self-signed certificate, i also get an SSL_accept 
failed, but with different message:

Feb 18 12:41:45 correio dovecot: imap-login: Disconnected (no auth 
attempts): rip=201.86.191.114, lip=192.168.1.2, TLS handshaking: 
SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 
alert bad certificate

     despite the fact my certificates were generated for use with 
Apache, i can 'print' them, both of them, with the same commands i use 
to print dovecot generated certificates, with mkcert.sh. So, it seems 
they are compatible.

     if i click OK on Thunderbird, when using my Verisign-signed 
certificates, everything works and i do got TLS logs:


Feb 18 12:23:36 correio dovecot: imap-login: Login: 
user=<user at domain.com.br>, method=PLAIN, rip=201.86.xx.xx, 
lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Feb 18 12:31:43 correio dovecot: imap-login: Login: 
user=<user at domain.com.br>, method=PLAIN, rip=201.86.xx.xx, 
lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)



     what am i doing wrong ?? or using a signed-certificate for WEB 
usage is not possible on dovecot ?

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes at solutti.com.br
	My SPAMTRAP, do not email it

More information about the dovecot mailing list