[Dovecot] SSL cert problems.
Sahil Tandon
sahil at tandon.net
Wed Dec 24 06:46:08 EET 2008
Geoff Sweet wrote:
> and last but not least, here is my test from openssl. Mind you this
> fails as a "BAD" ssl cert in Evolution.
>
> :~$ openssl s_client -ssl2 -connect pop.x10.com:995
Try -ssl3 here; you'll see more.
> CONNECTED(00000003)
> depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
> Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
> (c)05/CN=pop.x10.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
> Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
> (c)05/CN=pop.x10.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
> Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
> (c)05/CN=pop.x10.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> 21568:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher
> list:s2_clnt.c:450:
>
> As you can see, the certificate clearly fails. I don't know how to make
> this work at this point. Any thoughts or advice would be greatly
> appreciated.
The cert fails because s_client(1) cannot find the root CA's you've chosen
to trust. The same test will fail even with gmail's IMAP and POP3
servers. See the s_client(1) man page for the CApath and CAfile flags.
--
Sahil Tandon <sahil at tandon.net>
More information about the dovecot
mailing list