When I upgraded my debian-based imap server from squeeze to wheezy yesterday, SSL stopped working.
I am using a http://cacert.org signed server sertificate, and I am reusing the certificates that were used on the 1.x dovecot of debian squeeze.
My three MUAs that worked against the previous 1.x dovecot with the same certificate, now fails in various ways.
Any hints and guesses as to how to debug this further will be highly appreciated. Even more appreciated will be a pin point of the issue. :-)
Here are the error messages from the MUAs:
- Opera 12.15 on Windows 7 just reports: "The connection with the IMAP server was unexpectedly interrupted."
- Emacs24(w/linked-in gnutls)/Ma Gnus 0.8 (Gnus git HEAD) on Windows 7 says "imap.mydomain.com certificate could not be verified."
- Emacs23/Ma Gnus 0.8 (also Gnus git HEAD) on debian testing (with
Emacs23 gnutls-cli is run in a subprocess), says:
"Opening connection to imap.mydomain.com via tls...
Opening TLS connection to
imap.mydomain.com'... Opening TLS connection withgnutls-cli --insecure -p 993 imap.mydomain.com'...done Opening TLS connection to `imap.mydomain.com'...done Unable to open server nnimap+privat due to: Process *nnimap* not running"
When I try running gnutls-cli from the command line of the debian testing machine (the same gnutls-cli that is used by the emacs23/gnus combo), it seems to connect ok (the transcript of that session is below).
The config for the SSL, from /etc/dovecot/conf.d/10-ssl.conf, is:
# SSL/TLS support: yes, no, required.
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert =
The access privileges of the files, are: -rw-r--r-- 1 root root 2077 Mar 27 12:45 /etc/ssl/certs/imap_mydomain_com.pem -rw------- 1 root root 3243 Jul 12 2011 /etc/ssl/private/imap_mydomain_com.key
What follows, is the transcript from the gnutls-cli session from a debian testing machine to the server (which seems to be working as far as I can tell...):
sb@edwards:~$ gnutls-cli -p 993 rainey.mydomain.com WARNING: gnome-keyring:: couldn't connect to: /home/sb/.cache/keyring-yeEdM3/pkcs11: No such file or directory Resolving 'rainey.mydomain.com'... Connecting to '212.110.185.190:993'...
Ephemeral Diffie-Hellman parameters
Using prime: 1024 bits
Secret key: 1023 bits
Peer's public key: 1023 bits
Certificate type: X.509
Got a certificate list of 1 certificates.
Certificate[0] info:
subject
CN=imap.mydomain.com', issuerO=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org', RSA key 4096 bits, signed using RSA-SHA1, activated2013-03-27 12:43:30 UTC', expires2013-09-23 12:43:30 UTC', SHA-1 fingerprint `86f8a501bca1e2b0eadc677bf05b103d298ce247'The hostname in the certificate does NOT match 'rainey.mydomain.com' sb@edwards:~$ gnutls-cli -p 993 imap.mydomain.com WARNING: gnome-keyring:: couldn't connect to: /home/sb/.cache/keyring-yeEdM3/pkcs11: No such file or directory Resolving 'imap.mydomain.com'... Connecting to '212.110.185.190:993'...
Ephemeral Diffie-Hellman parameters
Using prime: 1024 bits
Secret key: 1022 bits
Peer's public key: 1021 bits
Certificate type: X.509
Got a certificate list of 1 certificates.
Certificate[0] info:
subject
CN=imap.mydomain.com', issuerO=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org', RSA key 4096 bits, signed using RSA-SHA1, activated2013-03-27 12:43:30 UTC', expires2013-09-23 12:43:30 UTC', SHA-1 fingerprint `86f8a501bca1e2b0eadc677bf05b103d298ce247'The hostname in the certificate matches 'imap.mydomain.com'.
Peer's certificate issuer is unknown
Peer's certificate is NOT trusted
Version: TLS1.2
Key Exchange: DHE-RSA
Cipher: AES-128-CBC
MAC: SHA1
Compression: NULL
Handshake was completed
Simple Client Mode:
- OK Waiting for authentication process to respond..
- Peer has closed the GnuTLS connection