Am 2013-02-22 17:02, schrieb Daniel Luttermann:
On 2013-02-22, Matthias Leopold wrote:
with thunderbird 10.0.12 i can't connect to port 993 and get errors in the logs like
TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
(certificate generated by dovecot mkcert.sh)
or
TLS: SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
(certificate generated by own openssl cmdline)
Did you create a Root CA certificate? If not, I would prefer to create your own CA and sign all certs with this Root CA certificate. You'll have to import the created Root CA certificate in Thunderbird and/or the Microsoft Certificate Store so that the applications can trust the self signed certificates.
You could also use a free Certificate Authority like StartSSL but the Root CA certificate must also be available in the certificate store of the application (Thunderbird, MS, Opera...).
-- Daniel
thx, but this is not an option as this server is used by our customers who won't be willing to import this CA certificate. i know about the limitations of self signed certificates and i think it's ok for a user to import an "unsecure" certificate once. after all this does work for starttls and works for some clients with imaps. i didn't find any hint that i can't use self signed certificates for imaps/pops
matthias