[dovecot] Something wrong in SSL ?
Operating system: FreeBSD 4.7-RELEASE-p10 Dovecot: 0.99.8.1
I've used openssl to generate personal CA and I've used that one to generate certificate for my web server. When I tried to go through same pattern for generating certificate for IMAP server from CA, I ended up in situation, where both mutt and evolution keep on rejecting my certificates.
On Fri, 2003-04-11 at 09:41, Juha Ylitalo wrote:
If I try same openssl s_client command on my web server, it gets everything correctly. As result from this one, I've even tried to use certificate from my web server with IMAP and even then openssl keeps on saying that there is bad record mac.
Is this bug in dovecot's SSL handling or have I managed to mess something in my setup?
Did you compile Dovecot with GNUTLS or OpenSSL? If GNUTLS, maybe there's some problems with it. If OpenSSL .. well, I don't know really. I don't have any problems with mutt, Evolution, Outlook or OE at least.
On Sat, 2003-04-12 at 18:14, ext Timo Sirainen wrote:
On Fri, 2003-04-11 at 09:41, Juha Ylitalo wrote:
If I try same openssl s_client command on my web server, it gets everything correctly. As result from this one, I've even tried to use certificate from my web server with IMAP and even then openssl keeps on saying that there is bad record mac.
Is this bug in dovecot's SSL handling or have I managed to mess something in my setup?
Did you compile Dovecot with GNUTLS or OpenSSL? If GNUTLS, maybe there's some problems with it. If OpenSSL .. well, I don't know really. I don't have any problems with mutt, Evolution, Outlook or OE at least.
Its compiled with openssl, since that is default option for dovecot in FreeBSD ports (and since openssl is pretty much in all Linux/BSD boxes it would be silly to use something else on those). Here is more concrete example on how things go wrong. This test is based on instructions in http://mutt.sourceforge.net/imap/README.SSL and I will first demonstrate how it works with Apache (which workds beatifully) and then with imap (which doesn't work): ######## ### WITH HTTPS ######## bash-2.05a$ openssl s_client -host localhost -port 443 -verify -debug 2>&1 > https.log verify depth is 0 depth=0 /C=FI/ST=Finland/O=Juha Ylitalo/CN=jylitalo.homeip.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=FI/ST=Finland/O=Juha Ylitalo/CN=jylitalo.homeip.net verify error:num=27:certificate not trusted verify return:1 depth=0 /C=FI/ST=Finland/O=Juha Ylitalo/CN=jylitalo.homeip.net verify error:num=21:unable to verify the first certificate verify return:1 ^]close ######## ### WITH IMAPS ######## bash-2.05a$ openssl s_client -host localhost -port 993 -verify -debug 2>&1 > imaps.log verify depth is 0 depth=0 /C=FI/ST=Finland/O=Juha Ylitalo/CN=jylitalo.homeip.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=FI/ST=Finland/O=Juha Ylitalo/CN=jylitalo.homeip.net verify error:num=27:certificate not trusted verify return:1 depth=0 /C=FI/ST=Finland/O=Juha Ylitalo/CN=jylitalo.homeip.net verify error:num=21:unable to verify the first certificate verify return:1 66460:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:/usr/src/secure/lib/libssl/../../../crypto/openssl/crypto/../ssl/s3_pkt.c:1046:SSL alert number 20 66460:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/crypto/../ssl/s23_lib.c:226: bash-2.05a$
-- Juha Ylitalo juha.o.ylitalo@nokia.com <work e-mail> +358 40 562 6152 http://linux.nokia.com/~jylitalo/ <work www>
participants (2)
-
Juha Ylitalo
-
Timo Sirainen