On Oct 9, 2013, at 6:33 PM, Noel Butler wrote:
On 10/10/2013 06:09, Eliezer Croitoru wrote:
I would imaging that 4k bits certificate handshake and validation can take more then 1 sec.. Am I right about it?
hardly
and the size is not his problem.
he was given a test account on my network when I last saw this thread (few weeks back?), that uses startssl, and 4096 certs, his mail.app connected fine.
I would like to investigate that more if you like. Others have experienced problem connected to my test server. I can't believe I've created a non-functional Dovecot configuration.
One avenue I will purse: if I swap from 4096 to 2048, why does it work?
Here is a connection with a 4096 cert:
$ openssl s_ s_client -connect imaps.unixathome.org:993 CONNECTED(00000003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0
Certificate chain 0 s:/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmaster@unixathome.org i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
Here is it with a 2048 cert:
$ openssl s_client -connect imaps.unixathome.org:993 CONNECTED(00000003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0
Certificate chain 0 s:/description=3Hs89se3p9RsmJBG/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=test1.langille.org/emailAddress=postmaster@langille.org i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
The only thing I change in the configuration is:
# MY KEYS #ssl_cert = </usr/local/etc/ssl/dovecot.pem #ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key
# My 2048 key ssl_cert = </usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert ssl_key = </usr/local/etc/ssl/2048/test1.langille.org.nopassword.key
Current configuration is:
# doveconf -n
# 2.2.6: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 9.1-RELEASE-p6 amd64
auth_debug = yes
auth_verbose = yes
first_valid_gid = 1001
first_valid_uid = 1001
mail_debug = yes
mail_location = maildir:~/Maildir
mail_privileged_group = mail
passdb {
args = scheme=SHA512-CRYPT /var/db/dovecot.users
driver = passwd-file
}
protocols = imap
service imap-login {
inet_listener imap {
address = 199.233.228.197
}
inet_listener imaps {
address = 199.233.228.197
}
}
ssl_ca = </usr/local/etc/ssl/sub.class2.server.ca.pem
ssl_cert = </usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert
ssl_key = </usr/local/etc/ssl/2048/test1.langille.org.nopassword.key
userdb {
args = /var/db/dovecot.users
driver = passwd-file
}
verbose_proctitle = yes
-- Dan Langille - http://langille.org