[Dovecot] help debugging TLS
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160
hi,
i've built dovecot latest cvs on OSX 10.4.7. i'm making a 1st attempt @ trying/failing to get TLS operation up-n-running ...
my install's OK:
Install prefix ...................... : /usr/local/dovecot
File offsets ........................ : 64bit
I/O loop method ..................... : poll
File change notification method ..... : kqueue
Building with SSL support ........... : yes (OpenSSL)
Building with IPv6 support .......... : no
Building with pop3 server ........... : yes
Building with mail delivery agent .. : yes
Building with GSSAPI support ........ : no
Building with user database modules . : static prefetch passwdpasswd-file checkpassword sql (modules) Building with password lookup modules : passwd passwd-file pam checkpassword sql (modules) Building with SQL drivers ............: mysql
NOTE: This is the UNSTABLE development branch of Dovecot.
You may want to change into the stabilizing branch:
cvs up -r branch_1_0i've config'd for ssl/tls w/:
...
listen = 10.0.0.6
ssl_listen = 10.0.0.6
ssl_disable = no
verbose_ssl = yes
auth_verbose = yes
auth_debug = yes
disable_plaintext_auth = no
ssl_cert_file =/var/MailServer/Data/CERTS/mail.testdomain.com.cert.rsa.pem ssl_key_file = /var/MailServer/Data/CERTS/mail.testdomain.com.privkey.rsa.pem ssl_ca_file = /var/MailServer/Data/CERTS/main.CA.cert.rsa.pem
ssl_verify_client_cert = no
ssl_parameters_regenerate = 24
ssl_cipher_list = ALL:!SSLv2:!aNULL:!NULL:!EXPORT:!DES:!LOW:@STRENGTH17 ...
after launch:
% ps -ax | grep -i dovecot
14034 ?? Ss 0:11.61 /usr/local/dovecot/sbin/dovecot -c/var/MailServer/Conf/Dovecot/dovecot.conf 14035 ?? S 0:17.00 dovecot-auth
on test via telnet, i see:
% telnet 10.0.0.6 143
Trying 10.0.0.6...
Connected to mail.testdomain.com.
Escape character is '^]'.
* OK mail.testdomain.com Dovecot IMAP4 v1.0cvs server ready
1 capability
* CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPENDUNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS STARTTLS AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 1 OK Capability completed. ...
but, a test with:
% openssl s_client -connect 10.0.0.6:143fails & reports, simply:
CONNECTED(00000003)
14282:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknownprotocol:s23_clnt.c:567:
i'm migrating from cyrus where this simple testing returns correctly w/o error.
unclear, atm, whether there's something in dovecot, or in my testing, not working ...
suggestions?
thanks,
richard
/"
\ / ASCII Ribbon Campaign
X against HTML email, vCards
/ \ & micro$oft attachments
[GPG] OpenMacNews at gmail dot com fingerprint: 50C9 1C46 2F8F DE42 2EDB D460 95F7 DDBD 3671 08C6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin)
iEYEAREDAAYFAkTjK7UACgkQlffdvTZxCMbisgCggspE05II6KCAik5dfvoHtSyI 1PgAn2ErKP0xGfRAlwMrzyavstIw02a7 =kWXI -----END PGP SIGNATURE-----
On Aug 16, 2006, at 9:29 AM, Richard wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160
hi,
i've built dovecot latest cvs on OSX 10.4.7. i'm making a 1st
attempt @ trying/failing to get TLS operation up-n-running ...
<snip> > i've config'd for ssl/tls w/: > > ... > listen = 10.0.0.6 > ssl_listen = 10.0.0.6 > ssl_disable = no > > verbose_ssl = yes > auth_verbose = yes > auth_debug = yes > > disable_plaintext_auth = no > > ssl_cert_file = > /var/MailServer/Data/CERTS/mail.testdomain.com.cert.rsa.pem > ssl_key_file = > /var/MailServer/Data/CERTS/mail.testdomain.com.privkey.rsa.pem > ssl_ca_file = /var/MailServer/Data/CERTS/main.CA.cert.rsa.pem > > ssl_verify_client_cert = no > ssl_parameters_regenerate = 24 > ssl_cipher_list = ALL:!SSLv2:!aNULL:!NULL:!EXPORT:!DES:!LOW:@STRENGTH > 17 ... > > >
on test via telnet, i see:
% telnet 10.0.0.6 143 Trying 10.0.0.6... Connected to mail.testdomain.com. Escape character is '^]'. * OK mail.testdomain.com Dovecot IMAP4 v1.0cvs server ready 1 capability * CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS STARTTLS AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 1 OK Capability completed. ...
but, a test with:
% openssl s_client -connect 10.0.0.6:143
On port 143 you have an imap with starttls, i.e. plaintext until
STARTTLS has been issued. Unfortunately openssl s_client (not mine at
least) support imap (only smtp and pop3), but for smtp I would use
something like this
openssl s_client -starttls smtp -crlf -connect 1.2.3.4:25
You should have an imap with ssl/tls on port 993, however.
/Thorbjorn
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160
hi thorbjorn,
On port 143 you have an imap with starttls, i.e. plaintext until STARTTLS has been issued. Unfortunately openssl s_client (not mine at least) support imap (only smtp and pop3), but for smtp I would use something like this
i honestly did not realize that imap was not supported! but, you are absolutely correct:
-starttls prot - use the STARTTLS command before starting TLS for those protocols that support it, where 'prot' defines which one to assume. Currently, only "smtp" and "pop3" are supported.
thanks for the heads-up.
You should have an imap with ssl/tls on port 993, however.
and, checking:
% openssl s_client -connect 10.0.0.6:993 CONNECTED(00000003) depth=1 /C=US/ST= (blah blah) verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/CN=mail.testdomain.com i:/C=US/ST= (blah blah) 1 s:/C=US/ST= (blah blah) i:/C=US/ST= (blah blah) --- Server certificate -----BEGIN CERTIFICATE----- MIIEw...xjEQ/g9v -----END CERTIFICATE----- subject=/CN=mail.testdomain.com issuer=/C=US/ST= (blah blah) --- No client certificate CA names sent --- SSL handshake has read 3263 bytes and written 346 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 86A0...AE9CD Session-ID-ctx: Master-Key: 5475...23E48 Key-Arg : None Start Time: 1155742073 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- * OK mail.testdomain.com Dovecot IMAP4 v1.0 server ready
which, except for that "verify error" (which i'll straighten out here in a bit ... ) seems to be exactly what i'd expect.
thanks!
richard
/"
\ / ASCII Ribbon Campaign
X against HTML email, vCards
/ \ & micro$oft attachments
[GPG] OpenMacNews at gmail dot com fingerprint: 50C9 1C46 2F8F DE42 2EDB D460 95F7 DDBD 3671 08C6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin)
iEYEAREDAAYFAkTjOpIACgkQlffdvTZxCMZoZACgtVUmYb8BHXe8ktX3lTlCGNXQ LVIAoJBc9fq8oOdPITpCjOdxO4ZBP7Zd =JKL9 -----END PGP SIGNATURE-----
participants (2)
-
Richard
-
Thorbjorn Axelsson