[Dovecot] SSL Bug

Timo Sirainen tss at iki.fi
Tue May 25 19:03:33 EEST 2010


On Sun, 2010-05-16 at 00:52 +0100, Matthew Sackman wrote:

> After many hours of testing, I've finally tracked down the issue I have
> been having with dovecot's SSL support. The problem is that the SSL
> certs result in "TLS handshaking: SSL_accept() syscall failed:
> Connection reset by peer" errors *if the certificate granted is not
> granted for client use*.

Most likely client decided that the cert wasn't valid and disconnected.

> If you just do that, then the SSL certificate doesn't work in dovecot
> (it will work fine in Apache, or Postfix etc etc). You also need the
> certificate to be valide for client side work:
..
> I believe this is a fault with Dovecot.

Maybe it's just that the email clients don't like it, while web browsers
don't care as much? Although I'd guess email clients also wouldn't like
Postfix..

Anyway, I don't really know what I could do about this. Except add a
check to log an error if keyUsage doesn't contain digitalSignature, but
I don't know if that's a good idea either.



More information about the dovecot mailing list