[Dovecot] using signed certificates for TLS/SSL
Leonardo Rodrigues
leolistas at solutti.com.br
Thu Feb 18 15:47:03 EET 2010
Hi,
I have, in one customer, a web server running on a Verisign-signed
certificate SSL certificate. Everything works fine, IE and Firefox
connects on https without asking anything, which usually happens on
self-signed certificates. I'm trying to use that certificate on dovecot,
but clients (Thunderbird basically) keeps saying the certificate is not
valid.
yes i'm using, when configuring Thunderbird, the same CN that was
signed by Verisign for the web usage
i've enabled verbose_ssl and got when thunderbird tries to connect:
Feb 18 12:32:02 correio dovecot: imap-login: Disconnected (no auth
attempts): rip=201.86.xxx.xxx, lip=192.168.1.2, TLS handshaking:
SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
unknown CA ???
is that Thunderbird that is not recognizing the Verisign-signed
certificate ? Do i need to, somehow, install some Verisign CA
certificate in dovecot.conf ?
when using a self-signed certificate, i also get an SSL_accept
failed, but with different message:
Feb 18 12:41:45 correio dovecot: imap-login: Disconnected (no auth
attempts): rip=201.86.191.114, lip=192.168.1.2, TLS handshaking:
SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate
despite the fact my certificates were generated for use with
Apache, i can 'print' them, both of them, with the same commands i use
to print dovecot generated certificates, with mkcert.sh. So, it seems
they are compatible.
if i click OK on Thunderbird, when using my Verisign-signed
certificates, everything works and i do got TLS logs:
Feb 18 12:23:36 correio dovecot: imap-login: Login:
user=<user at domain.com.br>, method=PLAIN, rip=201.86.xx.xx,
lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Feb 18 12:31:43 correio dovecot: imap-login: Login:
user=<user at domain.com.br>, method=PLAIN, rip=201.86.xx.xx,
lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
what am i doing wrong ?? or using a signed-certificate for WEB
usage is not possible on dovecot ?
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes at solutti.com.br
My SPAMTRAP, do not email it
More information about the dovecot
mailing list