[Dovecot] SSL with startssl.com certificates

Eliezer Croitoru eliezer at ngtech.co.il
Wed Oct 9 22:45:08 EEST 2013


On 10/09/2013 10:31 PM, Reindl Harald wrote:
>
>
> Am 09.10.2013 21:27, schrieb Eliezer Croitoru:
>> On 09/13/2013 02:59 PM, Dan Langille wrote:
>>>
>>> *** /var/log/maillog ***
>>> Sep 13 11:50:46 imaps dovecot: imap-login: Warning: SSL failed:
>>> where=0x2002: SSLv3 read client certificate A [166.137.84.11]
>>> Sep 13 11:50:46 imaps dovecot: imap-login: Disconnected (no auth
>>> attempts in 1 secs): user=<>, rip=166.137.84.11, lip=199.233.228.197,
>>> TLS handshaking: Disconnected, session=<a7AJd0LmWwCmiVQL>
>> How about tring to use a username to identify the user??
>> it is very clear that there is nothing that the client tries to do...
>
> it is much more clear that there is no username if the client
> refuses the SSL handshake because it does not like the cert
> or the offered ssl-ciphers
>
> user=<> is pretty normal in a lot of cases
>
> * ssl cert not accepted and not allowed by the user in case of untrusted
> * no cipher the client accpets
> * no auth-mech the client accepts offered by the server
>
> so how do *you* imagine to see a username in the log?
>
I expect that StarSSL will put a good configuration examples for Apache 
Postfix Dovecot Exim nginx and more..
This way their service would give much more...
I am just still unsure How long would it take to write the docs that 
exalain all the mentioned above: there is a SSL hirarcy and StarSSL uses 
this hirarchy which you need to understand and then the next thing to do 
is to answer a question or two to make sure you understand that 
everything is OK with the service etc.

A basic openssl client into a ssl port should be sufficent but in a case 
of a special client that verifies two way key it's another story.

Hope there was a solution in the upper part of the thread.

Eliezer





More information about the dovecot mailing list