Kurt Roeckx wrote:
With which program do you connect to dovecot? Are you doing
it with imap (port 143) or imaps (port 993)?
I tried icedove (2.0.0.22) and Apple Mail.
Icedove originally was set to use TLS with port 143 and Apple Mail had
it's "use ssl" setting set which results in using port 993.
Both failed to connect to dovecot after the upgrade to libssl0.9.8m-(1/2).
I then tried icedove using port 993 too and it fails.
Can you try connecting to it using s_client? Something like:
openssl s_client -connect localhost:143 -starttls imap -CAfile
/etc/ssl/certs/dovecot.pem
or:
openssl s_client -connect localhost:993 -CAfile /etc/ssl/certs/dovecot.pem
Does that work? Does that produce anything in the log file
indicating an error with tls/ssl?
With libssl0.9.8m-2:
b...@hydrogen:~$ openssl s_client -connect localhost:143 -starttls imap
-CAfile /etc/ssl/certs/dovecot.pem
CONNECTED(00000003)
depth=1 /C=DE/O=****/OU=CA authority/CN=****
CA/emailaddress=hostmas...@****.de
verify error:num=19:self signed certificate in certificate chain
verify return:0
5768:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
Logfile:
Mar 19 03:42:54 hydrogen dovecot: imap-login: Disconnected (no auth
attempts): rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept()
failed: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown
message digest algorithm
Now using port 993:
b...@hydrogen:~$ openssl s_client -connect localhost:993 -CAfile
/etc/ssl/certs/dovecot.pem
CONNECTED(00000003)
depth=1 /C=DE/O=****/OU=CA authority/CN=****
CA/emailaddress=hostmas...@****.de
verify error:num=19:self signed certificate in certificate chain
verify return:0
5987:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
Logfile:
Mar 19 03:54:36 hydrogen dovecot: imap-login: Disconnected (no auth
attempts): rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept()
failed: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown
message digest algorithm
After going back from libssl0.9.8m-2 to libssl0.9.8_0.9.8k-8 and
restarting dovecot all works fine again (as it did the last few years):
b...@hydrogen:~$ openssl s_client -connect localhost:143 -starttls imap
-CAfile /etc/ssl/certs/dovecot.pem
CONNECTED(00000003)
depth=1 /C=DE/O=****/OU=CA authority/CN=****
CA/emailaddress=hostmas...@****.de
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=DE/O=********.de/OU=mail
services/CN=mailhost.********.de/emailaddress=postmas...@********.de
i:/C=DE/O=****/OU=CA authority/CN=****
CA/emailaddress=hostmas...@****.de
1 s:/C=DE/O=****/OU=CA authority/CN=****
CA/emailaddress=hostmas...@****.de
i:/C=DE/O=****/OU=CA authority/CN=****
CA/emailaddress=hostmas...@****.de
---
Server certificate
-----BEGIN CERTIFICATE-----
**shortened**
-----END CERTIFICATE-----
subject=/C=DE/O=****.de/OU=mail
services/CN=mailhost.****.de/emailaddress=postmas...@****.de
issuer=/C=DE/O=****/OU=CA authority/CN=****
CA/emailaddress=hostmas...@****.de
---
No client certificate CA names sent
---
SSL handshake has read 4245 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
D452D27272507C8F56C1D86643A8AC8C7BC555E718440AC737F299E8BE397EB2
Session-ID-ctx:
Master-Key:
C1CB9A54BF521634A4725790A2BDB43F806B745BBDF322DB01137721E5ED334B03564352469FA6D4072279B6C30B76E5
Key-Arg : None
Start Time: 1268967813
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
. OK Capability completed.
* BYE Disconnected for inactivity.
closed
Using port 993:
b...@hydrogen:~$ openssl s_client -connect localhost:993 -CAfile
/etc/ssl/certs/dovecot.pem
CONNECTED(00000003)
depth=1 /C=DE/O=****/OU=CA authority/CN=****
CA/emailaddress=hostmas...@****.de
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=DE/O=********.de/OU=mail
services/CN=mailhost.********.de/emailaddress=postmas...@********.de
i:/C=DE/O=****/OU=CA authority/CN=****
CA/emailaddress=hostmas...@****.de
1 s:/C=DE/O=****/OU=CA authority/CN=****
CA/emailaddress=hostmas...@****.de
i:/C=DE/O=****/OU=CA authority/CN=****
CA/emailaddress=hostmas...@****.de
---
Server certificate
-----BEGIN CERTIFICATE-----
**shortened***
-----END CERTIFICATE-----
subject=/C=DE/O=****.de/OU=mail
services/CN=mailhost.****.de/emailaddress=postmas...@****.de
issuer=/C=DE/O=****/OU=CA authority/CN=****
CA/emailaddress=hostmas...@****.de
---
No client certificate CA names sent
---
SSL handshake has read 3723 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
D04E6459CE760E5ADC0FFAAEEDFE08E07B14DE6D5C84FD6B4DE767A8C7C1A19E
Session-ID-ctx:
Master-Key:
F26A201431F9E1C7B7F80FFF033C4959D1F729FDD2CF460537EC6B5D154689FCEFC72AF03A7A4C38D68CA943C91BDCAA
Key-Arg : None
Start Time: 1268968202
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Imapd ready.
I need some way to reproduce this.
I'll try to find time at the weekend to find a way to reproduce this.
Marcus
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
