[Dovecot] SSL stops working after server upgrade
Hello, after an upgrade of the dovecot server, I can not use SSL connections. Can you help me solving the issue? When googling for the error, there is an opinion that the client is broken (in my case Thunderbird, 3.1.3), but I rather see the issue in the server, because I was upgrading my gentoo box by hand, and the secure imap stopped to work after that. Is there a more verbose SSL logging than the default verbose ssl = yes? It's output is attached below. Also, maybe only a configuration detail is missing, since with this version of dovecot, the configuration files were broken into several smaller files, but for my first look they contained the options I had used before.
Thanks.
Sep 16 23:12:25 [dovecot] master: Dovecot v2.0.2 starting up (core dumps disabled) Sep 16 23:12:29 [dovecot] imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.77.202] Sep 16 23:12:29 [dovecot] imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.77.202] Sep 16 23:12:29 [dovecot] imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.77.202] Sep 16 23:12:29 [dovecot] imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.77.202] Sep 16 23:12:29 [dovecot] imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.77.202] Sep 16 23:12:29 [dovecot] imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.77.202] Sep 16 23:12:29 [dovecot] imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.77.202] Sep 16 23:12:29 [dovecot] imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.77.202] Sep 16 23:12:29 [dovecot] imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.77.202] Sep 16 23:12:29 [dovecot] imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.77.202] - Last output repeated twice - Sep 16 23:12:30 [dovecot] imap-login: Warning: SSL alert: where=0x4004, ret=554: fatal bad certificate [192.168.77.202] Sep 16 23:12:30 [dovecot] imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [192.168.77.202] Sep 16 23:12:30 [dovecot] imap-login: Disconnected (no auth attempts): rip=192.168.77.202, lip=192.168.77.201, mpid=0, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42
On 16.9.2010, at 22.20, Ing. Daniel Rozsnyó wrote:
Sep 16 23:12:30 [dovecot] imap-login: Disconnected (no auth attempts): rip=192.168.77.202, lip=192.168.77.201, mpid=0, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42
My guess: The upgrade changed/broke Dovecot's SSL certificates. doveconf -n output would have been useful.
On 16. 9. 2010 23:48, Timo Sirainen wrote:
On 16.9.2010, at 22.20, Ing. Daniel Rozsnyó wrote:
Sep 16 23:12:30 [dovecot] imap-login: Disconnected (no auth attempts): rip=192.168.77.202, lip=192.168.77.201, mpid=0, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42 My guess: The upgrade changed/broke Dovecot's SSL certificates. doveconf -n output would have been useful.
The first line is temporal, for accessing emails on :143 (its over VPN so still secure).
~ $ dovecot -n # 2.0.2: /etc/dovecot/dovecot.conf # OS: Linux 2.6.35-gentoo-r6 i686 Gentoo Base System release 2.0.1 disable_plaintext_auth = no listen = * mail_location = maildir:~/.maildir passdb { args = * driver = pam } protocols = imap ssl_cert =
The files which are referred in SSL are:
-r-------- 1 root root 887 Nov 11 2009 server.key -r-------- 1 root root 1930 Nov 11 2009 server.pem
The KEY contains an rsa private key and PEM is a private key + certificate (no DH). These are the files which were used before and they have worked.
Trying to change their owner/group to dovecot:dovecot does not help, same error occurs. Renaming them or broking the filenames in ssl_cert/key results in different error:
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 13: ssl_cert: Can't open file /etc/ssl/dovecot/server.pem: No such file or directory
Thats all. Other ideas? Regenerate the SSL key/certificate? Try other client?
Daniel
participants (2)
-
"Ing. Daniel Rozsnyó"
-
Timo Sirainen