[Dovecot] using ecc-certificates (ellyptic curve) will not establish connection

Fresel Michal - hi competence e.U. m.fresel at hi-competence.eu
Tue Oct 11 20:02:16 EEST 2011 

hi

building 2.0.15 (f6a2c0e8bc03) against the 10.0e ssl-libs _WORKS_ (on some parts ;)


Note: be careful on the client-side as many clients won't understand these types of certificates
check the version of openssl if you have problems ...


a client on OS X 10.6 (OpenSSL 0.9.8r 8 Feb 2011) gives the folowing error
# openssl s_client -host remoteserver -port 993
CONNECTED(00000003)
8346:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s23_clnt.c:602:

==> /var/log/mail.log <==
dovecot: imap-login: Disconnected (no auth attempts): rip=xxxx, lip=xxxx, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher


well - THIS would work (for debuging :)
# openssl s_client -host remoteserver -port 993  -cipher ECCdraft


Greetings 

Mike

Am 09.10.2011 um 16:21 schrieb Fresel Michal - hi competence e.U.:

> hi
> 
> I want to use ECC(ellyptic curve cryptography) for SSL-connections but somehow dovecot doesn't like my ECC-certificates :(
> 
> I tried to test using following scenario:
> 
> 
> machine:
> debian 6 (x64)
> dovecot 2.0.15-0~auto+21 ((f6a2c0e8bc03) from http://xi.rename-it.nl/debian
> openssl 1.0.0e-2 from testing (as the default 0.9.8o-4squeeze3 needs also the parameter -cipher ECCdraft  for testing)
> 
> 
> 
> creating keys+cert for ecc (i.e. curves prime192v1, secp521r1)
> # openssl ecparam -name prime192v1 -genkey -out prime192v1.key
> # openssl req -new -key prime192v1.key -out prime192v1.csr
> # openssl req -x509 -in prime192v1.csr -key prime192v1.key  -out prime192v1.crt
> 
> testing these in 2 windows
> # openssl s_server -cert prime192v1.crt -key prime192v1.key  -www
> # openssl s_client
> note: when using the default openssl version 0.9.8o-4squeeze3 you need to append   -cipher ECCdraft
> 
> 
> output (cut)
> ...
> New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-SHA
> Server public key is 192 bit
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
>    Protocol  : SSLv3
>    Cipher    : ECDHE-ECDSA-AES256-SHA
>    Session-ID: xxxxx
>    Session-ID-ctx: 
>    Master-Key: xxxxx
>    Key-Arg   : None
>    PSK identity: None
>    PSK identity hint: None
>    Compression: 1 (zlib compression)
>    Start Time: xxxxx
>    Timeout   : 7200 (sec)
>    Verify return code: 18 (self signed certificate)
> 
> 
> looks promising - also for the secp521r1 curve
> 
> 
> but when changing dovecot.conf to use these keys and certificates it won't use them and return errors
> 
> # openssl  s_client -port 993
> CONNECTED(00000003)
> 140543456835240:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1195:SSL alert number 40
> 140543456835240:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 0 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>    Protocol  : SSLv3
>    Cipher    : 0000
>    Session-ID: 
>    Session-ID-ctx: 
>    Master-Key: 
>    Key-Arg   : None
>    PSK identity: None
>    PSK identity hint: None
>    Start Time: xxxxx
>    Timeout   : 7200 (sec)
>    Verify return code: 0 (ok)
> ---
> 
> and the log gives (using verbose_ssl = yes in dovecot.conf)
> 
> ==> /var/log/mail.log <==
> dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [127.0.0.1]
> 
> ==> /var/log/mail.info <==
> dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [127.0.0.1]
> 
> ==> /var/log/mail.warn <==
> dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [127.0.0.1]
> 
> ==> /var/log/mail.log <==
> dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [127.0.0.1]
> 
> ==> /var/log/mail.info <==
> dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [127.0.0.1]
> 
> ==> /var/log/mail.warn <==
> dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [127.0.0.1]
> 
> ==> /var/log/mail.log <==
> dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [127.0.0.1]
> 
> ==> /var/log/mail.info <==
> dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [127.0.0.1]
> 
> ==> /var/log/mail.warn <==
> dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [127.0.0.1]
> 
> ==> /var/log/mail.log <==
> dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1]
> 
> ==> /var/log/mail.info <==
> dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1]
> 
> ==> /var/log/mail.warn <==
> dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1]
> 
> ==> /var/log/mail.log <==
> dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1]
> dovecot: imap-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> 
> ==> /var/log/mail.info <==
> dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1]
> dovecot: imap-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> 
> ==> /var/log/mail.warn <==
> dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1]
> 
> from doveconf -a:
> ssl = required
> ssl_ca = 
> ssl_cert = </etc/ssl/certs/prime192v1.crt
> ssl_cert_username_field = commonName
> ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
> ssl_key = </etc/ssl/certs/prime192v1.key
> ssl_key_password = 
> ssl_parameters_regenerate = 168
> ssl_verify_client_cert = no
> 
> 
> Has anybody already tested this and made it working?
> Or do i have just to recompile everything to make it work?
> 
> 
> Greetings
> 
> Mike

More information about the dovecot mailing list