Grzegorz Sójka writes:
On 05/24/12 20:16, Thomas Jacob wrote: > Hi Grzesiek, > > On Wed, 2012-05-23 at 18:20 +0200, Grzesiek Sójka wrote: >> Hi there. >> >> Since few years I was successfully using courier-imap and >> courier-imap-ssl running on the PLD linux (www.pld-linux.org). >> Unfortunately, after one of the major OS updates I have a problem with >> ssl connection. If I connect using my mobile phone or the mail >> application running on apple OS X everything works fine. But when trying >> to establish ssl connection using icedove running on PLD linux I get >> following messages in the mail log file: >> >> May 23 17:51:38 Hermes imapd-ssl: Connection, ip=[::ffff:192.168.0.1] >> May 23 17:51:38 Hermes imapd-ssl: couriertls: read: error:14094418:SSL >> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca >> May 23 17:51:38 Hermes imapd-ssl: Disconnected, ip=[::ffff:192.168.0.1], >> time=0, starttls=1 > > That sound's like you might be using client ssl certs for authentication > purposes, if yes maybe the following will help >> http://sourceforge.net/mailarchive/forum.php?thread_name=cone. 1302380779.964977.10011.500%40monster.email-scan.com&forum_name=courier-imapI don't think that this is the some problem. First: in my case TLS_VERIFYPEER is set to NONE. Second: I get "read: error" instead of "accept: error".
This is just an internal function name. The actual text of the error message is more descriptive.
BTW. Is this a problem with server or client cert??
If, as you say, you did not enable client cert checking; I don't know enough about the TLS protocol to know if the server does not ask the client for a cert, if the protocol allows the client to send it anyway. That's one possibility.
If that's the case, what's probably happening is that the client is sending a cert, and the server cannot verify its CA because, of course, it's not configured to use client certificates. In that case, get rid of the client cert.
Another possibility is that this is a server cert problem, and this is logging a TLS alert message from the client, rejecting your server cert. This makes more sense. The read function has received an alert message from the client, complaining about your cert.
In that case, either your cert is not signed by a CA that the client trusts; or its common name does not match the DNS hostname the client is connecting to; your cert has expired; or your cert is signed by an intermediate cert.
If you're using an intermediate cert, you need to append the intermediate cert to the certificate file you're pointing Courier-IMAP too. I can never remember if it must appear before, or after, your own cert.
pgprKf4Cha71Q.pgp
Description: PGP signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Courier-imap mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
