[Dovecot] using ecc-certificates (ellyptic curve) will not establish connection

Fresel Michal - hi competence e.U. m.fresel at hi-competence.eu
Sun Oct 9 17:21:41 EEST 2011


hi

I want to use ECC(ellyptic curve cryptography) for SSL-connections but somehow dovecot doesn't like my ECC-certificates :(

I tried to test using following scenario:


machine:
debian 6 (x64)
dovecot 2.0.15-0~auto+21 ((f6a2c0e8bc03) from http://xi.rename-it.nl/debian
openssl 1.0.0e-2 from testing (as the default 0.9.8o-4squeeze3 needs also the parameter -cipher ECCdraft  for testing)



creating keys+cert for ecc (i.e. curves prime192v1, secp521r1)
# openssl ecparam -name prime192v1 -genkey -out prime192v1.key
# openssl req -new -key prime192v1.key -out prime192v1.csr
# openssl req -x509 -in prime192v1.csr -key prime192v1.key  -out prime192v1.crt

testing these in 2 windows
# openssl s_server -cert prime192v1.crt -key prime192v1.key  -www
# openssl s_client
note: when using the default openssl version 0.9.8o-4squeeze3 you need to append   -cipher ECCdraft


output (cut)
...
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-SHA
Server public key is 192 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : SSLv3
    Cipher    : ECDHE-ECDSA-AES256-SHA
    Session-ID: xxxxx
    Session-ID-ctx: 
    Master-Key: xxxxx
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Compression: 1 (zlib compression)
    Start Time: xxxxx
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)


looks promising - also for the secp521r1 curve


but when changing dovecot.conf to use these keys and certificates it won't use them and return errors

# openssl  s_client -port 993
CONNECTED(00000003)
140543456835240:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1195:SSL alert number 40
140543456835240:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: xxxxx
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

and the log gives (using verbose_ssl = yes in dovecot.conf)

==> /var/log/mail.log <==
dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [127.0.0.1]

==> /var/log/mail.info <==
dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [127.0.0.1]

==> /var/log/mail.warn <==
dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [127.0.0.1]

==> /var/log/mail.log <==
dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [127.0.0.1]

==> /var/log/mail.info <==
dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [127.0.0.1]

==> /var/log/mail.warn <==
dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [127.0.0.1]

==> /var/log/mail.log <==
dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [127.0.0.1]

==> /var/log/mail.info <==
dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [127.0.0.1]

==> /var/log/mail.warn <==
dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [127.0.0.1]

==> /var/log/mail.log <==
dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1]

==> /var/log/mail.info <==
dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1]

==> /var/log/mail.warn <==
dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1]

==> /var/log/mail.log <==
dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1]
dovecot: imap-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

==> /var/log/mail.info <==
dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1]
dovecot: imap-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

==> /var/log/mail.warn <==
dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1]

from doveconf -a:
ssl = required
ssl_ca = 
ssl_cert = </etc/ssl/certs/prime192v1.crt
ssl_cert_username_field = commonName
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_key = </etc/ssl/certs/prime192v1.key
ssl_key_password = 
ssl_parameters_regenerate = 168
ssl_verify_client_cert = no


Has anybody already tested this and made it working?
Or do i have just to recompile everything to make it work?


Greetings

Mike


More information about the dovecot mailing list