29 Jun
2019
29 Jun
'19
1:11 p.m.
On 11.01.2018 13:20, Hauke Fath wrote:
>/On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote: />>/Was the certificate path bundled in the server certificate? />/No, as a separate file, provided from the local (intermediate) CA: />//>/ssl_cert = </etc/openssl/certs/server.cert />/ssl_key = </etc/openssl/private/server.key />/ssl_ca = </etc/openssl/certs/ca-cert-chain.pem />//>/Worked fine with 2.2.x, 2.3 gives />//>/% openssl s_client -connect XXX:993 />/CONNECTED(00000006) />/depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische
Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de />/verify error:num=20:unable to get local issuer certificate />/verify return:1 />/depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische
Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de />/verify error:num=21:unable to verify the first certificate />/verify return:1 />/--- />/Certificate chain />/0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet />/Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de />/i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet />/Darmstadt/CN=TUD CA G01/emailAddress=tud-ca at hrz.tu-darmstadt.de
<https://dovecot.org/mailman/listinfo/dovecot> />/--- />/Server certificate />/-----BEGIN CERTIFICATE----- />/[...] />/% />//
Seems we might've made a unexpected change here when we revamped the ssl
code. Can you try if it works if you concatenate the cert and cert-chain
to single file? We'll start looking if this is misunderstanding or bug.
Aki
I have the CA cert concatenated with the actual cert (one file).
Code: # openssl s_client -showcerts -connect some.server.host:587 CONNECTED(00000003) depth=1 C = US, ST = State, L = Town, O = Company Name, OU = CERTIFICATION AUTHORITY, CN = CA Company Name, emailAddress = XXX@XXXX verify error:num=19:self signed certificate in certificate chain
Certificate chain 0 s:/C=US/ST=State/L=Town/O=Company Name/OU=IT Department/CN=some.server.host/emailAddress=XXX@XXXX i:/C=US/ST=State/L=Town/O=Company Name/OU=CERTIFICATION AUTHORITY/CN=CA Company Name/emailAddress=XXX@XXXX -----BEGIN CERTIFICATE----- MIIGUzCCBDsCCQC0iFO/81SS6DANBgkqhkiG9w0BAQ0FADCBsDELMAkGA1UEBhMC SEsxDjAMBgNVBAgMBUhLU0FSMRAwDgYDVQQHDAdDZW50cmFsMRYwFAYDVQQKDA1D b2xvc3NhbCBNaW5kMSAwHgYDVQQLDBdDRVJUSUZJQ0FUSU9OIEFVVEhPUklUWTEZ MBcGA1UEAwwQQ0EgQ29sb3NzYWwgTWluZDEqMCgGCSqGSIb3DQEJARYbcGV0ZXIu a2FobEBjb2xvc3NhbG1pbmQuY29tMB4XDTE5MDYyOTA1MzA0NloXDTI0MDYyOTA1 MzA0NlowgaUxCzAJBgNVBAYTAkhLMQ4wDAYDVQQIDAVIS1NBUjEQMA4GA1UEBwwH Q2VudHJhbDEWMBQGA1UECgwNQ29sb3NzYWwgTWluZDEWMBQGA1UECwwNSVQgRGVw ........... B9Kuzi4+x3+3W/Hpzup+cGu/Rm3BrZ9EQuLU0l8/51o5++VJ0eYjO8sXmnf/OD9g m4SHlaIv1I9iF6xDbFSqVDhoyXZfci+Fp9Yg8IfdnRPuyhm+A9n80IpOVptMkHgH 5WHuteE3p7ZWz0sCHXihbt6P03Sp8VrN8TzBkRVDaGMMEErXq17dbX6FAWzcwreA I9MyC457hKbNvkRuMWyYTuTWXXAA15sCyyLsG6LuOuH0nexW7NdwipKzNq6QAtqT Evt/+OmEhVrQFllEeW9KT2AKab8FA4/F4SHBl8J1JMeZ+jgJ9DWeRYgUUGzj82bu 7nI27hEgpmT3Oz2a5WGbHRl7ryTNcPkYx1UOo1/7dIN8dZDRxdK31ZcXhwfRs/bu YBt/NGRaiAv5+RsA+qytjmgLZyTWjyAeKSHsL+OU4R5IvrLOpl6O -----END CERTIFICATE----- 1 s:/C=US/ST=State/L=Town/O=Company Name/OU=CERTIFICATION AUTHORITY/CN=CA Company Name/emailAddress=XXX@XXXX i:/C=US/ST=State/L=Town/O=Company Name/OU=CERTIFICATION AUTHORITY/CN=CA Company Name/emailAddress=XXX@XXXX -----BEGIN CERTIFICATE----- MIIF3jCCA8YCCQDf2f6HjwgkqTANBgkqhkiG9w0BAQ0FADCBsDELMAkGA1UEBhMC SEsxDjAMBgNVBAgMBUhLU0FSMRAwDgYDVQQHDAdDZW50cmFsMRYwFAYDVQQKDA1D b2xvc3NhbCBNaW5kMSAwHgYDVQQLDBdDRVJUSUZJQ0FUSU9OIEFVVEhPUklUWTEZ MBcGA1UEAwwQQ0EgQ29sb3NzYWwgTWluZDEqMCgGCSqGSIb3DQEJARYbcGV0ZXIu a2FobEBjb2xvc3NhbG1pbmQuY29tMB4XDTE1MDYxNDA0MDA1OVoXDTI1MDYxMTA0 MDA1OVowgbAxCzAJBgNVBAYTAkhLMQ4wDAYDVQQIDAVIS1NBUjEQMA4GA1UEBwwH Q2VudHJhbDEWMBQGA1UECgwNQ29sb3NzYWwgTWluZDEgMB4GA1UECwwXQ0VSVElG ................ riwfRMSnfXTQWtv1pkV+vGk02tuZQSatY6v18Uw0EdeuwfrV8n4WBYXCbzDQoQsa Jipzub5H/5u8nIIUFPFeTeqnaRihjFJfFQkTH8lteVkq0ctRHVF4Il0OfigW4Q0j CJ/jcarQ5gQa8l1SOZIj1OqwEYaLeruc7U6gn+PEZPhxw0jPJBCjo3eBI4sIpWOe JpB0S1JHhzFLnyZTQmat0qDxbmWW/PqYj8TAGskBTh+OVdqvxXVbNVv9pUtVV/oy x8l7mOfPWYQlbhD+b7Rk2Qc+o6ohL5XXCm66vJoMbD86eaMegtcLrq7eG03I8EfO F8seAmJ4aQ89dlFvcbLwdhYoDq02BtcoCLkSQlRTng3pdMuITdSoTczbusmPlvI6 dOw+FBqbIL+bAGHdUrQJJgZ5MhbN6V+a/Ntkn7ByaYRPO0yAJ0DrytkGR6tCzNLs egZqM8EcD56riKdlGv2OSe2+ -----END CERTIFICATE-----
Server certificate subject=/C=US/ST=State/L=Town/O=Company Name/OU=IT Department/CN=some.server.host/emailAddress=XXX@XXXX issuer=/C=US/ST=State/L=Town/O=Company Name/OU=CERTIFICATION AUTHORITY/CN=CA Company Name/emailAddress=XXX@XXXX
No client certificate CA names sent Peer signing digest: SHA256 Server Temp Key: X25519, 253 bits
SSL handshake has read 4074 bytes and written 373 bytes Verification error: self signed certificate in certificate chain
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 5120 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: Session-ID-ctx: Resumption PSK: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1561802629 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) Extended master secret: no Max Early Data: 0
- OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot.
I confirm the same problem described by *Hauke Fath* on 11 Jan 2018. Mozilla Thunderbird connects fine but iOS Mail does not.
Dovecot log: 1561801584 imap-login: Info: Disconnected (no auth attempts in 1 secs): user=<>, rip=X.X.X.X, lip=X.X.X.X, TLS handshaking: Connection closed 1561801592 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=X.X.X.X, lip=X.X.X.X, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46
Kind regards, Peter