SSL certificate problem (SSL alert number 42)

Boyandin Konstantin lists at boyandin.name
Wed Jul 23 04:16:53 UTC 2014


Hello,

After client (Thunderbird, now version 31.0) updated today, it stopped connecting to Dovecot IMAP4S. The infamous "SSL alert number 42" is reported.

Mail server uses local (created for intranet) CA certificate as root.

I would appreciate pieces of advice on how to handle that without enabling plaintext authentication over insecure channels.

Other intranet services work with this local CA quite fine.

Thank you in advance. Required data:

# dovecot --version
2.0.9

# doveconf -n

# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-431.5.1.el6.x86_64 x86_64 CentOS release 6.5 (Final) 
auth_username_format = %n
default_process_limit = 1200
disable_plaintext_auth = yes
first_valid_uid = 300
mail_location = mbox:~/mail:INBOX=/var/mail/%n
mail_privileged_group = mail
mbox_write_locks = fcntl
passdb {
  driver = pam
}
protocols = imap pop3
service anvil {
  client_limit = 6000
}
service auth {
  client_limit = 6000
}
ssl_ca = </etc/pki/company/cacert.pem
ssl_cert = </etc/pki/company/company.crt
ssl_cipher_list = ALL:!LOW
ssl_key = </etc/pki/company/company.key
userdb {
  driver = passwd
}
verbose_ssl = yes


Records posted to Dovecot log file:

Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=554: fatal bad certificate [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [10.x.x.x]
Jul 23 11:01:26 mailserver dovecot: imap-login: Disconnected (no auth attempts): rip=10.x.x.x, lip=10.y.y.y, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42


Sincerely,
Konstantin


More information about the dovecot mailing list