[Dovecot] Thunderbird STARTTLS error

Markus Fritz markus at opsys.de
Wed May 9 16:51:36 EEST 2012


Am 09.05.2012 15:42, schrieb Bill Cole:
> On 9 May 2012, at 9:05, Markus Fritz wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Am 09.05.2012 14:32, schrieb Ken Stevenson:
>>>>
>>>> I got only this keys. Can you explain me what exactly you mean with
>>>> adding chains?
>>>> And I wonder why this error only occurs in Thunderbird, not in
>>>> openssl.
>>>>
>>>
>>> Never mind, I don't think my first guess was correct. I wonder if it
>> has to do with the error 27 reported in the verify by openssl. According
>> to the manual, an error 27 means:
>>>
>>> "the root CA is not marked as trusted for the specified purpose."
>>>
>>> It looks like the certificate is valid cryptographically, but that it
>> wasn't certified for how you're using it.
>>>
>>> If I run:
>>>
>>> openssl x509 -in ssl.crt -noout -text
>>>
>>> The output includes the following:
>>>
>>> X509v3 Extended Key Usage:
>>> TLS Web Server Authentication, TLS Web Client Authentication
>>> X509v3 Key Usage: critical
>>> Digital Signature, Key Encipherment
>>>
>>> Does yours look different?
>>
>> Mine looks like this:
>>
>> X509v3 Basic Constraints:
>>              CA:FALSE
>
> There's your problem.
>
> If you use a root CA in any X.509 trust chain (even one consisting of
> a single self-signed certificate) that declares itself to not be
> legitimate for use as a CA, you will have any signed certificates
> treated as bogus by any proper X.509v3 implementation. Most tools that
> create certificates do so with assumptions suited to the external CA
> model, and set options like the Basic Constraints extension flags that
> are not fit for a self-signed certificate.
>
Sorry for my stupid question, but how I can resolve this with a SartSSL
signed cert? There I am able to generate a WEB or MIME cert. Thanks for
help!

-- 
Markus Fritz
Administration





More information about the dovecot mailing list