Am 22.02.2013 17:21, schrieb Matthias Leopold:
Am 2013-02-22 17:02, schrieb Daniel Luttermann:
On 2013-02-22, Matthias Leopold wrote:
with thunderbird 10.0.12 i can't connect to port 993 and get errors in the logs like
TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
(certificate generated by dovecot mkcert.sh)
or
TLS: SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
(certificate generated by own openssl cmdline)
Did you create a Root CA certificate? If not, I would prefer to create your own CA and sign all certs with this Root CA certificate. You'll have to import the created Root CA certificate in Thunderbird and/or the Microsoft Certificate Store so that the applications can trust the self signed certificates.
You could also use a free Certificate Authority like StartSSL but the Root CA certificate must also be available in the certificate store of the application (Thunderbird, MS, Opera...).
-- Daniel
thx, but this is not an option as this server is used by our customers who won't be willing to import this CA certificate. i know about the limitations of self signed certificates and i think it's ok for a user to import an "unsecure" certificate once. after all this does work for starttls and works for some clients with imaps. i didn't find any hint that i can't use self signed certificates for imaps/pops
surely, you can, but it makes only troubles as you see as CUSTOMER if i pay for your services i would consider search someone how is willing to spend a little amount of money for a certificate which does not greet me with a warning
it is up to the client how he handles untrusted certs
however, with the scripts below generated PEM-files are working with any known client and imaps/pop3s as well as STARTTLS or use them for Apache or postfix submission as also port 465
[root@buildserver:/buildserver/ssl-cert]$ cat generate-cert.sh #!/usr/bin/bash WORKING_DIR="/buildserver/ssl-cert" OUT_DIR="$WORKING_DIR/$1" mkdir $OUT_DIR 2> /dev/null chmod 700 $OUT_DIR if [ "$1" == "" ]; then exit fi rm -f $OUT_DIR/$1.key rm -f $OUT_DIR/$1.csr rm -f $OUT_DIR/$1.crt rm -f $OUT_DIR/$1.pem sed "s/my_common_name/$1/g" $WORKING_DIR/openssl.conf.template > $WORKING_DIR/openssl.conf openssl genrsa -out $OUT_DIR/$1.key 2048 openssl req -config $WORKING_DIR/openssl.conf -new -key $OUT_DIR/$1.key -out $OUT_DIR/$1.csr openssl x509 -req -days 3650 -in $OUT_DIR/$1.csr -signkey $OUT_DIR/$1.key -out $OUT_DIR/$1.crt cat $OUT_DIR/$1.crt $OUT_DIR/$1.key > $OUT_DIR/$1.pem echo "" echo $OUT_DIR/$1.key echo $OUT_DIR/$1.csr echo $OUT_DIR/$1.crt echo $OUT_DIR/$1.pem echo "" chmod 600 $OUT_DIR/* ls -l -h --color=tty -X --group-directories-first --time-style=long-iso $OUT_DIR/ echo "" rm -f $WORKING_DIR/openssl.conf
[root@buildserver:/buildserver/ssl-cert]$ cat openssl.conf.template [ req ] prompt = yes default_bits = 2048 distinguished_name = req_DN string_mask = nombstr
[ req_DN ] countryName = "1. Landeskennung " countryName_default = "AT" countryName_min = 2 countryName_max = 2 stateOrProvinceName = "2. Bundesland " stateOrProvinceName_default = "Vienna" localityName = "3. Stadt " localityName_default = "Vienna" 0.organizationName = "4. Firmenname " 0.organizationName_default = "the lounge interactive design gmbh" organizationalUnitName = "5. Abteilung " organizationalUnitName_default = "Administration" commonName = "6. Server-Name " commonName_max = 64 commonName_default = "my_common_name" emailAddress = "7. Mail-Adresse " emailAddress_max = 40 emailAddress_default = "hostmaster@thelounge.net"