[Dovecot] SSL Bug
Matthew Sackman
matthew at wellquite.org
Sun May 16 02:52:06 EEST 2010
Hi,
After many hours of testing, I've finally tracked down the issue I have
been having with dovecot's SSL support. The problem is that the SSL
certs result in "TLS handshaking: SSL_accept() syscall failed:
Connection reset by peer" errors *if the certificate granted is not
granted for client use*.
For servers, I normally generate SSL certificates specifically for
servers:
[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
If you just do that, then the SSL certificate doesn't work in dovecot
(it will work fine in Apache, or Postfix etc etc). You also need the
certificate to be valide for client side work:
[ client_and_server_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.1
I believe this is a fault with Dovecot. This is with the Debian package
for Dovecot 1.2.11 (Version: 1:1.2.11-1). The default self-signed
certificate the Debian post-install script generates pops out a
certificate that is valid for everything, which is why it works by
default out of the box.
Matthew
More information about the dovecot
mailing list