[Dovecot] Thunderbird STARTTLS error
Bill Cole
dovecot-20110531 at billmail.scconsult.com
Wed May 9 16:42:55 EEST 2012
On 9 May 2012, at 9:05, Markus Fritz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Am 09.05.2012 14:32, schrieb Ken Stevenson:
>>>
>>> I got only this keys. Can you explain me what exactly you mean with
>>> adding chains?
>>> And I wonder why this error only occurs in Thunderbird, not in
>>> openssl.
>>>
>>
>> Never mind, I don't think my first guess was correct. I wonder if it
> has to do with the error 27 reported in the verify by openssl.
> According
> to the manual, an error 27 means:
>>
>> "the root CA is not marked as trusted for the specified purpose."
>>
>> It looks like the certificate is valid cryptographically, but that it
> wasn't certified for how you're using it.
>>
>> If I run:
>>
>> openssl x509 -in ssl.crt -noout -text
>>
>> The output includes the following:
>>
>> X509v3 Extended Key Usage:
>> TLS Web Server Authentication, TLS Web Client Authentication
>> X509v3 Key Usage: critical
>> Digital Signature, Key Encipherment
>>
>> Does yours look different?
>
> Mine looks like this:
>
> X509v3 Basic Constraints:
> CA:FALSE
There's your problem.
If you use a root CA in any X.509 trust chain (even one consisting of a
single self-signed certificate) that declares itself to not be
legitimate for use as a CA, you will have any signed certificates
treated as bogus by any proper X.509v3 implementation. Most tools that
create certificates do so with assumptions suited to the external CA
model, and set options like the Basic Constraints extension flags that
are not fit for a self-signed certificate.
More information about the dovecot
mailing list