[Dovecot] using signed certificates for TLS/SSL
Hi,
I have, in one customer, a web server running on a Verisign-signed
certificate SSL certificate. Everything works fine, IE and Firefox connects on https without asking anything, which usually happens on self-signed certificates. I'm trying to use that certificate on dovecot, but clients (Thunderbird basically) keeps saying the certificate is not valid.
yes i'm using, when configuring Thunderbird, the same CN that was
signed by Verisign for the web usage
i've enabled verbose_ssl and got when thunderbird tries to connect:
Feb 18 12:32:02 correio dovecot: imap-login: Disconnected (no auth attempts): rip=201.86.xxx.xxx, lip=192.168.1.2, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
unknown CA ???
is that Thunderbird that is not recognizing the Verisign-signed
certificate ? Do i need to, somehow, install some Verisign CA certificate in dovecot.conf ?
when using a self-signed certificate, i also get an SSL_accept
failed, but with different message:
Feb 18 12:41:45 correio dovecot: imap-login: Disconnected (no auth attempts): rip=201.86.191.114, lip=192.168.1.2, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
despite the fact my certificates were generated for use with
Apache, i can 'print' them, both of them, with the same commands i use to print dovecot generated certificates, with mkcert.sh. So, it seems they are compatible.
if i click OK on Thunderbird, when using my Verisign-signed
certificates, everything works and i do got TLS logs:
Feb 18 12:23:36 correio dovecot: imap-login: Login: user=<user@domain.com.br>, method=PLAIN, rip=201.86.xx.xx, lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Feb 18 12:31:43 correio dovecot: imap-login: Login: user=<user@domain.com.br>, method=PLAIN, rip=201.86.xx.xx, lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
what am i doing wrong ?? or using a signed-certificate for WEB
usage is not possible on dovecot ?
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it
Torsdag 18 februar 2010 14:47:03 skrev Leonardo Rodrigues :
Hi, I have, in one customer, a web server running on a Verisign-signed
certificate SSL certificate. Everything works fine, IE and Firefox connects on https without asking anything, which usually happens on self-signed certificates. I'm trying to use that certificate on dovecot, but clients (Thunderbird basically) keeps saying the certificate is not valid.
yes i'm using, when configuring Thunderbird, the same CN that was
signed by Verisign for the web usage
i've enabled verbose_ssl and got when thunderbird tries to connect:
Feb 18 12:32:02 correio dovecot: imap-login: Disconnected (no auth attempts): rip=201.86.xxx.xxx, lip=192.168.1.2, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
unknown CA ??? is that Thunderbird that is not recognizing the Verisign-signed
certificate ? Do i need to, somehow, install some Verisign CA certificate in dovecot.conf ?
when using a self-signed certificate, i also get an SSL_accept
failed, but with different message:
Feb 18 12:41:45 correio dovecot: imap-login: Disconnected (no auth attempts): rip=201.86.191.114, lip=192.168.1.2, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
despite the fact my certificates were generated for use with
Apache, i can 'print' them, both of them, with the same commands i use to print dovecot generated certificates, with mkcert.sh. So, it seems they are compatible.
if i click OK on Thunderbird, when using my Verisign-signed
certificates, everything works and i do got TLS logs:
Feb 18 12:23:36 correio dovecot: imap-login: Login: user=<user@domain.com.br>, method=PLAIN, rip=201.86.xx.xx, lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Feb 18 12:31:43 correio dovecot: imap-login: Login: user=<user@domain.com.br>, method=PLAIN, rip=201.86.xx.xx, lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
what am i doing wrong ?? or using a signed-certificate for WEB
usage is not possible on dovecot ?
I'm using the same certificate for dovecot and https. My settings in dovecot.conf are;
ssl_cert_file = /etc/ssl/certs/hostname.pem ssl_key_file = /etc/ssl/private/hostname.key
This part from the user guide is very important if you received a "bundle / chain" of CA certificates from Verisign;
Chained SSL certificates
Put all the certificates in the ssl_cert_file file. For example when using a certificate signed by TDC the correct order is:
- Dovecot's public certificate
- TDC SSL Server CA
- TDC Internet Root CA
- Globalsign Partners CA
Arne
--
Arne K. Haaje | www.drlinux.no T: 69 51 15 52 | M: 92 88 44 66
and another interesting information ..... Thunderbird claims the
certificate is not valid, but Windows Mail accepts it without any warnings and works just fine. I've tested on a new machine just to make sure i havent previously accepted it on that machine/Windows Mail.
another minor difference is that when logging from Windows Mail and
Thunderbird, the cipher used seems to be a little different
Windows Mail - AES128-SHA Feb 18 12:56:04 correio dovecot: imap-login: Login: user=<domain@user.com.br>, method=PLAIN, rip=201.86.xx.xx, lip=192.168.1.2, TLS, TLSv1 with cipher AES128-SHA (128/128 bits)
Thunderbird 3.0.1 - DHE-RSA-AES256-SHA Feb 18 12:58:41 correio dovecot: imap-login: Login: user=<domain@user.com.br>, method=PLAIN, rip=201.86.xx.xx, lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
if it works flawlessly on Windows Mail, i think i should point now
my searching to Thunderbird ..... what do you think on that ?
Em 18/02/2010 11:58, Arne K. Haaje escreveu:
Put all the certificates in the ssl_cert_file file. For example when using a certificate signed by TDC the correct order is:
1. Dovecot's public certificate 2. TDC SSL Server CA 3. TDC Internet Root CA 4. Globalsign Partners CA
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 18 Feb 2010, Arne K. Haaje wrote:
I'm using the same certificate for dovecot and https. My settings in dovecot.conf are;
ssl_cert_file = /etc/ssl/certs/hostname.pem ssl_key_file = /etc/ssl/private/hostname.key
This part from the user guide is very important if you received a "bundle / chain" of CA certificates from Verisign;
Chained SSL certificates
Put all the certificates in the ssl_cert_file file. For example when using a certificate signed by TDC the correct order is:
- Dovecot's public certificate
- TDC SSL Server CA
- TDC Internet Root CA
- Globalsign Partners CA
Do I assume that the Verisign CA's root cert is part ofThunderbird by default? Otherwise you would need to add the root cert manually.
Also, I have explicitly set the CA file in Dovecot: ssl_ca_file =
Regards,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBS31Jmr+Vh58GPL/cAQJfBwf9Fg6ItLJxj09RHCY/dp9nIMiAGsDEHGsQ kS6p7iyOZSfxGPJcovTHU85lgZqF2VUWWhgpTfVp2xAm1XoNTDYz5sdErWkckBmf iqWYkQl8kYChl3lQLcJMrN4Fv2t6Cp+IkaKaMVa7bo5pAX0byq2DatGfWSiUvrk3 BEOEoTrFz2DAk27TnzLNWuQ1CtyHlxDDjFSOJH1g1HoCeit6f4Vyc7p1llCV6P1r 6/IOcdLByeX/m38FJiP1/rhpv8O1zEfyGJuY0oL1nSF62wosMLXzZUkYwK6IN7cm CytCyodEloKQhu0XzFHA0EJQ2eXWLsp8sCVt0GTymQaTURazgQ9aoQ== =7FhN -----END PGP SIGNATURE-----
participants (3)
-
Arne K. Haaje
-
Leonardo Rodrigues
-
Steffen Kaiser