That is good to know. I was working on the wrong assumption, attempting to create a client certificate on the Windows/Thunderbird side.

I am using the SSL Certificate that comes with the distribution, so the conclusion is Thunderbird does not trust it.

I have this in my notes from ages ago, for generating my own self-signed certificate:

% openssl req -x509 -newkey rsa:4096 -sha256 -keyout openssl.key -out openssl.crt -days 600 -config san.cnf

See attached the 2 errors that I am getting, one is from the distribution cert.

Can a kind soul tell me the current way to do this in Linux?

Perhaps I should use a free service? Which?

TIA

Raymond

On 10/11/2020 19:17 Raymond Herrera <raymond@forcewise.com> wrote:


This is a followup to my thread "Recommended Protocols?".
The error message is as follows:
 dovecot: imap-login: Disconnected: TLS: SSL_read() failed: SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 

I have selected both SSL/TLS and STARTTLS on the Thunderbird side, with identical results.

The first question that I have is this. Is there any way to know whether that error messages comes from an attempt to read:
 
 (a) The server SSL certificate?
 (b) The client SSL certificate?
Please find attached 2 log files. I am essentially using the distribution files as they come from the box.

TIA

While bit confusing, this actually means the client did not trust the server certificate. Usually because you forgot the chain certs from the cert file.

Aki