[Dovecot] SSL_accept failed

OpenMacNews openmacnews at gmail.com
Sun Sep 10 07:43:25 EEST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hi tim,

> Thanks for the input so far... I hear what you're saying about
> Mail.app but I provide email for a small group of friends and I need
> it to work with a variety of clients.

i was simply suggesting options for you to explore/investigate your 
problem with tools that might be of more help, not to suggest replacing 
your client of choice.

>> if you haven't, again, i'd simply suggest that you do.
>
> I did, but i wasn't sure what it meant. I got an actual signed cert
> from cacerts.org and this is what i get when i try to verify it.

given what i'm seeing below, i'm going to suggest that you step-by-step 
it 1st with your own, home-grown CA cert ... just to see what's 
happening

>> dovecot.cert: /CN=mail.design1st.org
>> error 29 at 0 depth lookup:subject issuer mismatch
>> /CN=mail.design1st.org
>> error 29 at 0 depth lookup:subject issuer mismatch
>> /CN=mail.design1st.org
>> error 29 at 0 depth lookup:subject issuer mismatch
>> OK

> all my self-signed certs look like this:
>
>> design1st.cert: /C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/
>> CN=design1st.org
>> error 18 at 0 depth lookup:self signed certificate
>> OK
>
>
> This seemed more interesting, but also didn't help me:
>
>
>> design1st:/usr/local/openssl/certs root# openssl s_client -connect
>> localhost:10943 -showcerts
>> CONNECTED(00000003)
>> depth=0 /CN=mail.design1st.org
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 /CN=mail.design1st.org
>> verify error:num=27:certificate not trusted
>> verify return:1
>> depth=0 /CN=mail.design1st.org
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/CN=mail.design1st.org
>>    i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
>> Authority/emailAddress=support at cacert.org
>> -----BEGIN CERTIFICATE-----
snip
>> -----END CERTIFICATE-----
>> ---
>> Server certificate
>> subject=/CN=mail.design1st.org
>> issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
>> Authority/emailAddress=support at cacert.org
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 1681 bytes and written 340 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>> Server public key is 1024 bit
>> SSL-Session:
>>     Protocol  : TLSv1
>>     Cipher    : DHE-RSA-AES256-SHA
>>     Session-ID:
>> 1CDF45682A2292396C55FDEC04BD51B0F50F91E0A3447A096588A8A184C60706
>>     Session-ID-ctx:
>>     Master-Key:
>> 85513BB8BEA91C65A9DD5F14F7264BE2E108A15C8F1B4F88711DE61BF912450BBE28
>> 6C  0008197298EC8A16CE8D11BF4B
>>     Key-Arg   : None
>>     Start Time: 1157850811
>>     Timeout   : 300 (sec)
>>     Verify return code: 21 (unable to verify the first certificate)
>> ---
>> * OK Dovecot ready.


1st, take each of the errors and google on it ... there's lots of info 
out there.

unfortunately, you're gonna have to match what you find with your 
particular circumstance(s).

that said ... lemme guess at something here:

have you IMPORTED the cert into mail.app?

why do i ask?  cref here:

Mac OS X Mail.app (native eMail application) for Signing / Encrypting
  http://wiki.cacert.org/wiki/EmailCertificates
  "these steps were needed because Apple does not ship with the cacert 
Root CA Certificate"

richard
- -- 

/"\
\ /  ASCII Ribbon Campaign
 X   against HTML email, vCards
/ \  & micro$oft attachments

[GPG] OpenMacNews at gmail dot com
fingerprint: 50C9 1C46 2F8F DE42 2EDB  D460 95F7 DDBD 3671 08C6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iEYEARECAAYFAkUDl+0ACgkQlffdvTZxCMa0EwCgsIUowsMk6yLdy4TOb4ZSgAkP
pwEAnRKE48MFdgacepl8qTQc6VxzWSI2
=pFSx
-----END PGP SIGNATURE-----

More information about the dovecot mailing list