[Dovecot] SSL with startssl.com certificates

Eliezer Croitoru eliezer at ngtech.co.il
Wed Oct 9 23:09:53 EEST 2013


On 10/09/2013 10:55 PM, Reindl Harald wrote:
>
>
> Am 09.10.2013 21:45, schrieb Eliezer Croitoru:
>> On 10/09/2013 10:31 PM, Reindl Harald wrote:
>>>
>>>
>>> Am 09.10.2013 21:27, schrieb Eliezer Croitoru:
>>>> On 09/13/2013 02:59 PM, Dan Langille wrote:
>>>>>
>>>>> *** /var/log/maillog ***
>>>>> Sep 13 11:50:46 imaps dovecot: imap-login: Warning: SSL failed:
>>>>> where=0x2002: SSLv3 read client certificate A [166.137.84.11]
>>>>> Sep 13 11:50:46 imaps dovecot: imap-login: Disconnected (no auth
>>>>> attempts in 1 secs): user=<>, rip=166.137.84.11, lip=199.233.228.197,
>>>>> TLS handshaking: Disconnected, session=<a7AJd0LmWwCmiVQL>
>>>> How about tring to use a username to identify the user??
>>>> it is very clear that there is nothing that the client tries to do...
>>>
>>> it is much more clear that there is no username if the client
>>> refuses the SSL handshake because it does not like the cert
>>> or the offered ssl-ciphers
>>>
>>> user=<> is pretty normal in a lot of cases
>>>
>>> * ssl cert not accepted and not allowed by the user in case of untrusted
>>> * no cipher the client accpets
>>> * no auth-mech the client accepts offered by the server
>>>
>>> so how do *you* imagine to see a username in the log?
>>>
>> I expect that StarSSL will put a good configuration examples for Apache Postfix Dovecot Exim nginx and more..
>
> not their job and not part of the problem
>
> * your client accepts a certificate
> * your client does not accept your certificate
>
> in case it does not *you* as enduser have to accept/import the servers cert
>
> http://stackoverflow.com/questions/10879370/startssl-class-1-certificate-not-accepted-by-browser-weblogic-10-0-1
> http://www.startssl.com/?app=25#31
>
> if someone does not know what a "intermediate CA" he needs to RTFM or *read*
> messages of his client or buy by all major clients acepted certificates
>
> but that all has less to do with your blunty "it is very clear that there is nothing that
> the client tries to do" showing that you have zero expierience how a client handshake
> works -> it does not send usernames or even passwords until it is not satisfied
> with the negotiation of auth-mechs and ssl-handshake
>
I Would try to use StartSSL with squid and I will see if the docs in 
squid ssl-bump explains the subject in a way I can understand.
As Dan explained his major problem is with specific encryption cypher in 
a very specific size..
I would imaging that 4k bits certificate handshake and validation can 
take more then 1 sec..
Am I right about it?

Thanks,
Eliezer



More information about the dovecot mailing list