Dovecot 2.3.0 TLS

Sat Jun 29 13:11:15 EEST 2019

    On 11.01.2018 13:20, Hauke Fath wrote:
    >/On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote: />>/Was the certificate path bundled in the server certificate? />/No, as a separate file, provided from the local (intermediate) CA: />//>/ssl_cert = </etc/openssl/certs/server.cert />/ssl_key = </etc/openssl/private/server.key />/ssl_ca = </etc/openssl/certs/ca-cert-chain.pem />//>/Worked fine with 2.2.x, 2.3 gives />//>/% openssl s_client -connect XXX:993 />/CONNECTED(00000006) />/depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische
    Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de />/verify error:num=20:unable to get local issuer certificate />/verify return:1 />/depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische
    Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de />/verify error:num=21:unable to verify the first certificate />/verify return:1 />/--- />/Certificate chain />/0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet />/Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de />/i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet />/Darmstadt/CN=TUD CA G01/emailAddress=tud-ca at hrz.tu-darmstadt.de
    <https://dovecot.org/mailman/listinfo/dovecot> />/--- />/Server certificate />/-----BEGIN CERTIFICATE----- />/[...] />/% />//
    Seems we might've made a unexpected change here when we revamped the ssl
    code. Can you try if it works if you concatenate the cert and cert-chain
    to single file? We'll start looking if this is misunderstanding or bug.

    Aki

-----------------------------------------------------------------------------

I have the CA cert concatenated with the actual cert (one file).

Code:
# openssl s_client -showcerts -connect some.server.host:587
CONNECTED(00000003)
depth=1 C = US, ST = State, L = Town, O = Company Name, OU = 
CERTIFICATION AUTHORITY, CN = CA Company Name, emailAddress = XXX at XXXX
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
  0 s:/C=US/ST=State/L=Town/O=Company Name/OU=IT 
Department/CN=some.server.host/emailAddress=XXX at XXXX
    i:/C=US/ST=State/L=Town/O=Company Name/OU=CERTIFICATION 
AUTHORITY/CN=CA Company Name/emailAddress=XXX at XXXX
-----BEGIN CERTIFICATE-----
MIIGUzCCBDsCCQC0iFO/81SS6DANBgkqhkiG9w0BAQ0FADCBsDELMAkGA1UEBhMC
SEsxDjAMBgNVBAgMBUhLU0FSMRAwDgYDVQQHDAdDZW50cmFsMRYwFAYDVQQKDA1D
b2xvc3NhbCBNaW5kMSAwHgYDVQQLDBdDRVJUSUZJQ0FUSU9OIEFVVEhPUklUWTEZ
MBcGA1UEAwwQQ0EgQ29sb3NzYWwgTWluZDEqMCgGCSqGSIb3DQEJARYbcGV0ZXIu
a2FobEBjb2xvc3NhbG1pbmQuY29tMB4XDTE5MDYyOTA1MzA0NloXDTI0MDYyOTA1
MzA0NlowgaUxCzAJBgNVBAYTAkhLMQ4wDAYDVQQIDAVIS1NBUjEQMA4GA1UEBwwH
Q2VudHJhbDEWMBQGA1UECgwNQ29sb3NzYWwgTWluZDEWMBQGA1UECwwNSVQgRGVw
...........
B9Kuzi4+x3+3W/Hpzup+cGu/Rm3BrZ9EQuLU0l8/51o5++VJ0eYjO8sXmnf/OD9g
m4SHlaIv1I9iF6xDbFSqVDhoyXZfci+Fp9Yg8IfdnRPuyhm+A9n80IpOVptMkHgH
5WHuteE3p7ZWz0sCHXihbt6P03Sp8VrN8TzBkRVDaGMMEErXq17dbX6FAWzcwreA
I9MyC457hKbNvkRuMWyYTuTWXXAA15sCyyLsG6LuOuH0nexW7NdwipKzNq6QAtqT
Evt/+OmEhVrQFllEeW9KT2AKab8FA4/F4SHBl8J1JMeZ+jgJ9DWeRYgUUGzj82bu
7nI27hEgpmT3Oz2a5WGbHRl7ryTNcPkYx1UOo1/7dIN8dZDRxdK31ZcXhwfRs/bu
YBt/NGRaiAv5+RsA+qytjmgLZyTWjyAeKSHsL+OU4R5IvrLOpl6O
-----END CERTIFICATE-----
  1 s:/C=US/ST=State/L=Town/O=Company Name/OU=CERTIFICATION 
AUTHORITY/CN=CA Company Name/emailAddress=XXX at XXXX
    i:/C=US/ST=State/L=Town/O=Company Name/OU=CERTIFICATION 
AUTHORITY/CN=CA Company Name/emailAddress=XXX at XXXX
-----BEGIN CERTIFICATE-----
MIIF3jCCA8YCCQDf2f6HjwgkqTANBgkqhkiG9w0BAQ0FADCBsDELMAkGA1UEBhMC
SEsxDjAMBgNVBAgMBUhLU0FSMRAwDgYDVQQHDAdDZW50cmFsMRYwFAYDVQQKDA1D
b2xvc3NhbCBNaW5kMSAwHgYDVQQLDBdDRVJUSUZJQ0FUSU9OIEFVVEhPUklUWTEZ
MBcGA1UEAwwQQ0EgQ29sb3NzYWwgTWluZDEqMCgGCSqGSIb3DQEJARYbcGV0ZXIu
a2FobEBjb2xvc3NhbG1pbmQuY29tMB4XDTE1MDYxNDA0MDA1OVoXDTI1MDYxMTA0
MDA1OVowgbAxCzAJBgNVBAYTAkhLMQ4wDAYDVQQIDAVIS1NBUjEQMA4GA1UEBwwH
Q2VudHJhbDEWMBQGA1UECgwNQ29sb3NzYWwgTWluZDEgMB4GA1UECwwXQ0VSVElG
................
riwfRMSnfXTQWtv1pkV+vGk02tuZQSatY6v18Uw0EdeuwfrV8n4WBYXCbzDQoQsa
Jipzub5H/5u8nIIUFPFeTeqnaRihjFJfFQkTH8lteVkq0ctRHVF4Il0OfigW4Q0j
CJ/jcarQ5gQa8l1SOZIj1OqwEYaLeruc7U6gn+PEZPhxw0jPJBCjo3eBI4sIpWOe
JpB0S1JHhzFLnyZTQmat0qDxbmWW/PqYj8TAGskBTh+OVdqvxXVbNVv9pUtVV/oy
x8l7mOfPWYQlbhD+b7Rk2Qc+o6ohL5XXCm66vJoMbD86eaMegtcLrq7eG03I8EfO
F8seAmJ4aQ89dlFvcbLwdhYoDq02BtcoCLkSQlRTng3pdMuITdSoTczbusmPlvI6
dOw+FBqbIL+bAGHdUrQJJgZ5MhbN6V+a/Ntkn7ByaYRPO0yAJ0DrytkGR6tCzNLs
egZqM8EcD56riKdlGv2OSe2+
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=State/L=Town/O=Company Name/OU=IT 
Department/CN=some.server.host/emailAddress=XXX at XXXX
issuer=/C=US/ST=State/L=Town/O=Company Name/OU=CERTIFICATION 
AUTHORITY/CN=CA Company Name/emailAddress=XXX at XXXX
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4074 bytes and written 373 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 5120 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
     Protocol  : TLSv1.3
     Cipher    : TLS_AES_256_GCM_SHA384
     Session-ID:
     Session-ID-ctx:
     Resumption PSK: 
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1561802629
     Timeout   : 7200 (sec)
     Verify return code: 19 (self signed certificate in certificate chain)
     Extended master secret: no
     Max Early Data: 0
---
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
LITERAL+ AUTH=PLAIN] Dovecot.

I confirm the same problem described by *Hauke Fath* on 11 Jan 2018. 
Mozilla Thunderbird connects fine but iOS Mail does not.

Dovecot log:
1561801584 imap-login: Info: Disconnected (no auth attempts in 1 secs): 
user=<>, rip=X.X.X.X, lip=X.X.X.X, TLS handshaking: Connection closed
1561801592 imap-login: Info: Disconnected (no auth attempts in 6 secs): 
user=<>, rip=X.X.X.X, lip=X.X.X.X, TLS handshaking: SSL_accept() failed: 
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate 
unknown: SSL alert number 46

Kind regards,
Peter