[Dovecot] SSL problems on dovecot 2.1.7

Steinar Bang sb at dod.no
Thu May 9 12:12:37 EEST 2013 

When I upgraded my debian-based imap server from squeeze to wheezy
yesterday, SSL stopped working.

I am using a http://cacert.org signed server sertificate, and I am
reusing the certificates that were used on the 1.x dovecot of debian
squeeze.

My three MUAs that worked against the previous 1.x dovecot with the same
certificate, now fails in various ways.

Any hints and guesses as to how to debug this further will be highly
appreciated.  Even more appreciated will be a pin point of the issue. :-)

Here are the error messages from the MUAs:
 - Opera 12.15 on Windows 7 just reports:
   "The connection with the IMAP server was unexpectedly interrupted."
 - Emacs24(w/linked-in gnutls)/Ma Gnus 0.8 (Gnus git HEAD) on Windows 7 says
   "imap.mydomain.com certificate could not be verified."
 - Emacs23/Ma Gnus 0.8 (also Gnus git HEAD) on debian testing (with
   Emacs23 gnutls-cli is run in a subprocess), says:
   "Opening connection to imap.mydomain.com via tls...
    Opening TLS connection to `imap.mydomain.com'...
    Opening TLS connection with `gnutls-cli --insecure -p 993 imap.mydomain.com'...done
   Opening TLS connection to `imap.mydomain.com'...done
   Unable to open server nnimap+privat due to: Process *nnimap* not running"

When I try running gnutls-cli from the command line of the debian
testing machine (the same gnutls-cli that is used by the emacs23/gnus
combo), it seems to connect ok (the transcript of that session is
below).

The config for the SSL, from /etc/dovecot/conf.d/10-ssl.conf, is:

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/ssl/certs/imap_mydomain_com.pem
ssl_key = </etc/ssl/private/imap_mydomain_com.key


The access privileges of the files, are:
-rw-r--r-- 1 root root 2077 Mar 27 12:45 /etc/ssl/certs/imap_mydomain_com.pem
-rw------- 1 root root 3243 Jul 12  2011 /etc/ssl/private/imap_mydomain_com.key


What follows, is the transcript from the gnutls-cli session from a
debian testing machine to the server (which seems to be working as far
as I can tell...):

sb at edwards:~$ gnutls-cli -p 993 rainey.mydomain.com
WARNING: gnome-keyring:: couldn't connect to: /home/sb/.cache/keyring-yeEdM3/pkcs11: No such file or directory
Resolving 'rainey.mydomain.com'...
Connecting to '212.110.185.190:993'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1023 bits
 - Peer's public key: 1023 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `CN=imap.mydomain.com', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support at cacert.org', RSA key 4096 bits, signed using RSA-SHA1, activated `2013-03-27 12:43:30 UTC', expires `2013-09-23 12:43:30 UTC', SHA-1 fingerprint `86f8a501bca1e2b0eadc677bf05b103d298ce247'
- The hostname in the certificate does NOT match 'rainey.mydomain.com'
sb at edwards:~$ gnutls-cli -p 993 imap.mydomain.com
WARNING: gnome-keyring:: couldn't connect to: /home/sb/.cache/keyring-yeEdM3/pkcs11: No such file or directory
Resolving 'imap.mydomain.com'...
Connecting to '212.110.185.190:993'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1022 bits
 - Peer's public key: 1021 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `CN=imap.mydomain.com', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support at cacert.org', RSA key 4096 bits, signed using RSA-SHA1, activated `2013-03-27 12:43:30 UTC', expires `2013-09-23 12:43:30 UTC', SHA-1 fingerprint `86f8a501bca1e2b0eadc677bf05b103d298ce247'
- The hostname in the certificate matches 'imap.mydomain.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

* OK Waiting for authentication process to respond..
- Peer has closed the GnuTLS connection

More information about the dovecot mailing list