[Dovecot] SSL cert problems.

Geoff Sweet geoff.sweet at x10.com
Wed Dec 24 09:30:37 EET 2008


Ok so I downloaded the intermediate ca cert thing onto my local machine
as intca.cer.  Then I ran this command:

:~$ openssl s_client -ssl3 -CApath ./intca.cer -connect pop.x10.com:995
CONNECTED(00000003)
depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
(c)05/CN=pop.x10.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
(c)05/CN=pop.x10.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
(c)05/CN=pop.x10.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
(c)05/CN=pop.x10.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVDCCBDygAwIBAgIQP9qDpsFNkAq3EZsq5A0jTjANBgkqhkiG9w0BAQUFADCB
sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA4MTIxMTAwMDAw
MFoXDTA5MTIxMTIzNTk1OVowgccxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo
aW5ndG9uMQ8wDQYDVQQHFAZSZW50b24xJjAkBgNVBAoUHVgxMCBXaXJlbGVzcyBU
ZWNobm9sb2d5LCBJbmMuMR8wHQYDVQQLFBZJbmZvcm1hdGlvbiBUZWNobm9sb2d5
MTMwMQYDVQQLFCpUZXJtcyBvZiB1c2UgYXQgd3d3LnZlcmlzaWduLmNvbS9ycGEg
KGMpMDUxFDASBgNVBAMUC3BvcC54MTAuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJGXMMLkbyNDIVzNv4IB00qqEp8Pg5f2zWU8uzL52w37JHLmAzfExu
HU+6vQqMip65QEEefqRh9rrsKWzMHC3ecQ1H3Ca6CDxwSbGLk1FjWafDLK2Ms1+w
chOkym9RvURMGn8IKQag1KQ8mZtPGM5z+50O6A6YHaLQUNVGW1mJ8wIDAQABo4IB
0zCCAc8wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRAYDVR0fBD0wOzA5oDegNYYz
aHR0cDovL1NWUlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL1NWUlNlY3VyZTIwMDUu
Y3JsMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0
cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwHwYDVR0jBBgwFoAUb+yvoN2KpO/1KhBnLT9VgrzX7yUweQYIKwYB
BQUHAQEEbTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20w
QwYIKwYBBQUHMAKGN2h0dHA6Ly9TVlJTZWN1cmUtYWlhLnZlcmlzaWduLmNvbS9T
VlJTZWN1cmUyMDA1LWFpYS5jZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJ
aW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYk
aHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEB
BQUAA4IBAQA70R4JDVgQF7Rz/l26G0smMR2qjj3iOfggXOiE1zHVtyzWb/Q2yrIV
kTkC558w73rE0/ScqFKa2HDHm3d6OHWXNRgr+2MW8rtuwFPaPko6mYkWeRE4a3HP
VFE2iNOYfx5n5yovQOUbKOKn9jBnJu8L7+mVjmtdLTMLo6yKynrxCMOXrmHI4AkK
QZgySYbm4JqkTz8+CPnT75bXAJdsFmqMiq3wTKDI2GbEGdCLEupCEEMcDi2mb/zA
UQbon3cgfDGfkCKd91SzJT86c1IGStHNiuwgOHsM/cAmTobICdBeooBBGQlGZPZ1
E6ehkR3x1HVzD53zpE/rH4ejjhHZ3I02
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
(c)05/CN=pop.x10.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server
CA
---
No client certificate CA names sent
---
SSL handshake has read 1964 bytes and written 317 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
F5FDC92F3DFEE11EABFECEF9ACAEA69F6E34B18A0DAEC225EE6C18398E86B418
    Session-ID-ctx: 
    Master-Key:
E81D48B88F493F4BD35353079B7A596993D42C3E711F2E4DB79305E69C9D0CF97ED4A88941FE42B3BE012A3D507827C8
    Key-Arg   : None
   Compression: 1 (zlib compression)
    Start Time: 1230103587
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
+OK Dovecot ready.


And I still get those errors.  Any thoughts?  

-G



On Tue, 2008-12-23 at 23:46 -0500, Sahil Tandon wrote:
> Geoff Sweet wrote:
> 
> > and last but not least, here is my test from openssl.  Mind you this
> > fails as a "BAD" ssl cert in Evolution.  
> > 
> > :~$ openssl s_client -ssl2 -connect pop.x10.com:995
> 
> Try -ssl3 here; you'll see more.
> 
> > CONNECTED(00000003)
> > depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
> > Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
> > (c)05/CN=pop.x10.com
> > verify error:num=20:unable to get local issuer certificate
> > verify return:1
> > depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
> > Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
> > (c)05/CN=pop.x10.com
> > verify error:num=27:certificate not trusted
> > verify return:1
> > depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
> > Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
> > (c)05/CN=pop.x10.com
> > verify error:num=21:unable to verify the first certificate
> > verify return:1
> > 21568:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher
> > list:s2_clnt.c:450:
> > 
> > As you can see, the certificate clearly fails.  I don't know how to make
> > this work at this point.  Any thoughts or advice would be greatly
> > appreciated.
> 
> The cert fails because s_client(1) cannot find the root CA's you've chosen
> to trust.  The same test will fail even with gmail's IMAP and POP3
> servers.  See the s_client(1) man page for the CApath and CAfile flags.
> 



More information about the dovecot mailing list