[Dovecot] SSL with startssl.com certificates

Reindl Harald h.reindl at thelounge.net
Wed Oct 9 22:55:35 EEST 2013



Am 09.10.2013 21:45, schrieb Eliezer Croitoru:
> On 10/09/2013 10:31 PM, Reindl Harald wrote:
>>
>>
>> Am 09.10.2013 21:27, schrieb Eliezer Croitoru:
>>> On 09/13/2013 02:59 PM, Dan Langille wrote:
>>>>
>>>> *** /var/log/maillog ***
>>>> Sep 13 11:50:46 imaps dovecot: imap-login: Warning: SSL failed:
>>>> where=0x2002: SSLv3 read client certificate A [166.137.84.11]
>>>> Sep 13 11:50:46 imaps dovecot: imap-login: Disconnected (no auth
>>>> attempts in 1 secs): user=<>, rip=166.137.84.11, lip=199.233.228.197,
>>>> TLS handshaking: Disconnected, session=<a7AJd0LmWwCmiVQL>
>>> How about tring to use a username to identify the user??
>>> it is very clear that there is nothing that the client tries to do...
>>
>> it is much more clear that there is no username if the client
>> refuses the SSL handshake because it does not like the cert
>> or the offered ssl-ciphers
>>
>> user=<> is pretty normal in a lot of cases
>>
>> * ssl cert not accepted and not allowed by the user in case of untrusted
>> * no cipher the client accpets
>> * no auth-mech the client accepts offered by the server
>>
>> so how do *you* imagine to see a username in the log?
>>
> I expect that StarSSL will put a good configuration examples for Apache Postfix Dovecot Exim nginx and more..

not their job and not part of the problem

* your client accepts a certificate
* your client does not accept your certificate

in case it does not *you* as enduser have to accept/import the servers cert

http://stackoverflow.com/questions/10879370/startssl-class-1-certificate-not-accepted-by-browser-weblogic-10-0-1
http://www.startssl.com/?app=25#31

if someone does not know what a "intermediate CA" he needs to RTFM or *read*
messages of his client or buy by all major clients acepted certificates

but that all has less to do with your blunty "it is very clear that there is nothing that
the client tries to do" showing that you have zero expierience how a client handshake
works -> it does not send usernames or even passwords until it is not satisfied
with the negotiation of auth-mechs and ssl-handshake

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20131009/7471cb03/attachment.bin>


More information about the dovecot mailing list