[Dovecot] Dovecot 1.0beta7: STARTTLS/SSL not wanting to start
Greetings -
I have been looking at Dovecot with a view to migrating us to it from the Washington IMAP server on our Sun systems.
To start our testing we first of all installed the pre-built version of Dovecot from the Blastwave (www.blastwave.org) community supported packaged software site.
This was Dovecot 0.99.10.4 and we successfully got it working in our test environment: at first just with regular IMAP, then with STARTTLS too. For the latter we installed a properly signed certificate and it works fine: mail clients can connect, use STARTTLS and then use the encrypted connection.
I then downloaded the source code for Dovecot 1.0beta7 and built this myself from source, against the OpenSSL 0.9.8 libraries. I configured Dovecot to use the same certificate and key files as had been used for the earlier version we had just tried out.
Whilst 1.0beta7 works fine for regular IMAP it just does not want to start SSL using STARTTLS at all. The error that is getting logged in the syslog file is:
<date etc> ... dovecot: [ID 107833 mail.warning] imap-login:
SSL_accept() failed: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable [ddd.ddd.ddd.ddd]
I see in the archived for the list archives that this same problem was asked about for 1.0beta3 but without a solution I could see. Could someone offer any insight/help, please?
Cheers, Mike Brudenell
-- The Computing Service, University of York, Heslington, York Yo10 5DD, UK Tel:+44-1904-433811 FAX:+44-1904-433740
- Unsolicited commercial e-mail is NOT welcome at this e-mail address. *
On 5/9/2006 Mike Brudenell wrote:
This was Dovecot 0.99.10.4 and we successfully got it working in our test environment: at first just with regular IMAP, then with STARTTLS too. For the latter we installed a properly signed certificate and it works fine: mail clients can connect, use STARTTLS and then use the encrypted connection.
Which mail client(s)?
STARTTLS support is broken in Thunderbird, per a recent thread with subject 'START + TLS'
--
Best regards,
Charles
Greetings -
--On 9 May 2006 06:45:18 -0400 Charles Marcus <CMarcus@Media-Brokers.com> wrote:
Which mail client(s)?
STARTTLS support is broken in Thunderbird, per a recent thread with subject 'START + TLS'
Every mail client I've so far tried: Mulberry, Apple's Mail and Outlook.
However I've made progress and believe I've now trakced down the problem, which appears to be a conflist of OpenSSL includes/libraries being used...
We use the Blastwave distribution of OpenSSL 0.9.8, which installs itself in /opt/csw/include/openssl and /opt/csw/lib
I had added a "-I/opt/csw/include/openssl" to the CFLAGS environment variable before configuring and building Dovecot but had not added a "-L/opt/csw/lib" believing this would be picked up by the run-time linker. (We have used the Solaris "crle" command to add this directory to the standard paths the loader searches at run-time.
However unbeknownst to me a colleague had installed some Sun Freeware distributions on our communal test machine. In amongst these was the Sun FreeWare version of the OpenSSL libraries ... but only version 0.9.7!
All might yet have been OK except Dovecot's "configure" script used the "pkg-config" command to sniff out any C and loader options it thought it needed to use to link against OpenSSL ... and was told to use "-L/usr/sfw/lib":
% pkg-config --libs openssl
-R/usr/sfw/lib -L/usr/sfw/lib -lssl -lcrypto -lsocket -lnsl -ldl
So use these libraries it did. This meant Dovecot was being built using the include files for OpenSSL 0.9.8 but the library files from 0.9.7 :-(
Adding a "-L/opt/csw/lib" explicitly to the LDFLAGS environment variable and re-configuring/building Dovecot has given a binary that works just fine with SSL now.
I\m still slightly baffled why when I changed LDFLAGS earlier in my first set of testing it didn't have any effect. I can only think something had been cached in the config.cache file and/or something built with against the incorrect versions of the files, and I should have done a "make distclean" to sort things out.
Now to go and find out why we have these Sun FreeWare packages on this system rather than the Blastwave ones we normally use... >-(
MORAL: If anyone else experiences this problem check your include and library files for OpenSSL are consistent before getting paranoid about certificate files being broken etc!
Cheers, Mike B-)
-- The Computing Service, University of York, Heslington, York Yo10 5DD, UK Tel:+44-1904-433811 FAX:+44-1904-433740
- Unsolicited commercial e-mail is NOT welcome at this e-mail address. *
On Tue, 2006-05-09 at 09:41 +0100, Mike Brudenell wrote:
<date etc> ... dovecot: [ID 107833 mail.warning] imap-login:
SSL_accept() failed: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable [ddd.ddd.ddd.ddd]
I see in the archived for the list archives that this same problem was asked about for 1.0beta3 but without a solution I could see. Could someone offer any insight/help, please?
Did you figure this out yet? I can't think of a reason why something in Dovecot's code could cause it. Maybe you had Dovecot 0.99 linked against a different version of OpenSSL or something?
participants (3)
-
Charles Marcus
-
Mike Brudenell
-
Timo Sirainen