[Dovecot] SSL Bug
Timo Sirainen
tss at iki.fi
Tue May 25 19:03:33 EEST 2010
On Sun, 2010-05-16 at 00:52 +0100, Matthew Sackman wrote:
> After many hours of testing, I've finally tracked down the issue I have
> been having with dovecot's SSL support. The problem is that the SSL
> certs result in "TLS handshaking: SSL_accept() syscall failed:
> Connection reset by peer" errors *if the certificate granted is not
> granted for client use*.
Most likely client decided that the cert wasn't valid and disconnected.
> If you just do that, then the SSL certificate doesn't work in dovecot
> (it will work fine in Apache, or Postfix etc etc). You also need the
> certificate to be valide for client side work:
..
> I believe this is a fault with Dovecot.
Maybe it's just that the email clients don't like it, while web browsers
don't care as much? Although I'd guess email clients also wouldn't like
Postfix..
Anyway, I don't really know what I could do about this. Except add a
check to log an error if keyUsage doesn't contain digitalSignature, but
I don't know if that's a good idea either.
More information about the dovecot
mailing list