(no subject)
Hello, I'm trying to configure Cyrus imap v 2.2.12 with SSL. It works ok when using a self signed certificate that is in pem format. But, when I configure it to use the certificate we purchased from Comodo, I have problems. I am testing the key using the command "openssl s_client -connect foobar:993", and I get an "unknown protocol" error. I ran the openssl command in debug mode, and at the same time ran tcpflow on the imap server. The tcpflow has a message "enter PEM passphrase". When I created the private key and csr I had to enter a passphrase because it wouldn't let me keep it null. Could this be part of the problem? How do I fix it? Any help would be greatly appreciated as I'm new to imap and ssl. Below is some output that may be helpful: This is the command I'm using to test the certificate and the error that I get: [EMAIL PROTECTED] certs]# openssl s_client -connect foobar:993 CONNECTED(0003) 24518:error:140770FC:SSL routines:SSL23 _GET_SERVER_HELLO:unknown protocol:s23_cl nt.c:475: This is output of the openssl command in debug mode, and the tcpflow: [EMAIL PROTECTED] certs]# openssl s_client -debug -connect foobar:993 CONNECTED(0003) write to 0907B310 [0907B358] (142 bytes => 142 (0x8E)) - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00 ..c... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00 ..3..2../.f. 0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00 .c.. 0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40 b..a...@ 0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00 ..e..d..`... 0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 c8 ee 0070 - 81 dc 07 4f 07 79 10 0f-a3 a0 5a 84 ca 3b b0 05 ...O.yZ..;.. 0080 - 22 fc c8 b6 75 ee 2b 9a-1c 79 46 51 13 4e "...u.+..yFQ.N read from 0907B310 [090808B8] (7 bytes => 7 (0x7)) - 45 6e 74 65 72 20 50 Enter P 25977:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:475: [EMAIL PROTECTED] etc]# tcpflow -i eth0 -c tcp and port 993 tcpflow[5999]: listening on eth0 123.45.67.89.35902-123.45.67.90.00993: ..c... ..9..8..5 .3..2../[EMAIL PROTECTED] 123.45.67.90.00993-123.45.67.89.35902: Enter PEM pass phrase: My /etc/imapd.conf file contains these lines: tls_cert_file: /usr/share/ssl/certs/imap-server.crt tls_key_file: /usr/share/ssl/certs/imap-server.key tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt Thanks! Nicole Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Problems installing ssl certificate for cyrus imap
Hello, I'm trying to configure Cyrus imap v 2.2.12 with SSL. It works ok when using a self signed certificate that is in pem format. But, when I configure it to use the certificate we purchased from Comodo, I have problems. I am testing the key using the command "openssl s_client -connect foobar:993", and I get an "unknown protocol" error. I ran the openssl command in debug mode, and at the same time ran tcpflow on the imap server. The tcpflow has a message "enter PEM passphrase". When I created the private key and csr I had to enter a passphrase because it wouldn't let me keep it null. Could this be part of the problem? How do I fix it? Any help would be greatly appreciated as I'm new to imap and ssl. Below is some output that may be helpful: This is the command I'm using to test the certificate and the error that I get: [EMAIL PROTECTED] certs]# openssl s_client -connect foobar:993 CONNECTED(0003) 24518:error:140770FC:SSL routines:SSL23 _GET_SERVER_HELLO:unknown protocol:s23_cl nt.c:475: This is output of the openssl command in debug mode, and the tcpflow: [EMAIL PROTECTED] certs]# openssl s_client -debug -connect foobar:993 CONNECTED(0003) write to 0907B310 [0907B358] (142 bytes => 142 (0x8E)) - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00 ..c... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00 ..3..2../.f. 0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00 .c.. 0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40 b..a...@ 0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00 ..e..d..`... 0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 c8 ee 0070 - 81 dc 07 4f 07 79 10 0f-a3 a0 5a 84 ca 3b b0 05 ...O.yZ..;.. 0080 - 22 fc c8 b6 75 ee 2b 9a-1c 79 46 51 13 4e "...u.+..yFQ.N read from 0907B310 [090808B8] (7 bytes => 7 (0x7)) - 45 6e 74 65 72 20 50 Enter P 25977:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:475: [EMAIL PROTECTED] etc]# tcpflow -i eth0 -c tcp and port 993 tcpflow[5999]: listening on eth0 123.45.67.89.35902-123.45.67.90.00993: ..c... ..9..8..5 .3..2../[EMAIL PROTECTED] 123.45.67.90.00993-123.45.67.89.35902: Enter PEM pass phrase: My /etc/imapd.conf file contains these lines: tls_cert_file: /usr/share/ssl/certs/imap-server.crt tls_key_file: /usr/share/ssl/certs/imap-server.key tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt Thanks! Nicole Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Problems installing ssl certificate for cyrus imap
Hi Cristian, > usually if the server has SSL/TLS capability it advertises that in >the response to the 'capability' IMAP command: We have telnet disabled so I can't try this. > > try to remove the password from the certificate key file, >just as easy as : >openssl rsa -in imap-server.key -out imap-server.noPass.key >If it asks for a password, then just press enter. I tried this, and pointed my configuration file to use the new key file without the password. This got me a little further. I am still seeing some errors like "unable to verify first certificate". The certificate that we purchased has an intermediate certificate. Have you ever dealt with an intermediate certificate before? I tried to replace the tls_ca_file value with a file containing that intermediate certificate that I recived with the signed certificate, and I didn't see the error anymore. I don't know if that is going to cause any problems though. This is the error I get when I try tls_ca_file points to the ca_bundle file that comes with openssl. [EMAIL PROTECTED] certs]# openssl s_client -connect imap1:993 CONNECTED(0003) depth=0 /C=US/2.5.4.17=13244/ST=NY/L=Syracuse/2.5.4.9=250 A Machinery Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/2.5.4.17=13244/ST=NY/L=Syracuse/2.5.4.9=250 A Machinery Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1 verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/2.5.4.17=13244/ST=NY/L=Syracuse/2.5.4.9=250 A Machinery Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1 verify error:num=21:unable to verify the first certificate verify return:1 This is what I get when I replace tls_ca_file with the intermediate certficiate: [EMAIL PROTECTED] certs]# openssl s_client -connect imap:993 CONNECTED(0003) depth=2 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Thank you so much for your suggestions. Nicole Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Problems installing ssl certificate for cyrus imap
Hi Andy, Right now I'm trying to solve the problem of why I get see the "unable to get local issuer certificate" messages when running the openssl s_client command. I'm not that familiar with ssl (or imap) and I don't know if this is normal or not, or if ssl is working properly. Comodo sent an intermediate CA certificate along with the signed ssl certificate, that I don't know what to do with. Thanks, Nicole >>> Andrew Morgan <[EMAIL PROTECTED]> 09/26/05 5:11 PM >>> On Mon, 26 Sep 2005, Nicole Skyrca wrote: > > Hi Cristian, > >> usually if the server has SSL/TLS capability it advertises that in >> the response to the 'capability' IMAP command: > We have telnet disabled so I can't try this. > >> > > try to remove the password from the certificate key file, >> just as easy as : > >openssl rsa -in imap-server.key -out imap-server.noPass.key > >If it asks for a password, then just press enter. > > I tried this, and pointed my configuration file to use the new key file > without the password. This got me a little further. I am still seeing > some errors like "unable to verify first certificate". > > The certificate that we purchased has an intermediate certificate. > Have you ever dealt with an intermediate certificate before? I tried to > replace the tls_ca_file value with a file containing that intermediate > certificate that I recived with the signed certificate, and I didn't see > the error anymore. I don't know if that is going to cause any problems > though. > > This is the error I get when I try tls_ca_file points to the ca_bundle > file that comes with openssl. > > [EMAIL PROTECTED] certs]# openssl s_client -connect imap1:993 > CONNECTED(0003) > depth=0 /C=US/2.5.4.17=13244/ST=NY/L=Syracuse/2.5.4.9=250 A Machinery > Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1 > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 /C=US/2.5.4.17=13244/ST=NY/L=Syracuse/2.5.4.9=250 A Machinery > Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1 > verify error:num=27:certificate not trusted > verify return:1 > depth=0 /C=US/2.5.4.17=13244/ST=NY/L=Syracuse/2.5.4.9=250 A Machinery > Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1 > verify error:num=21:unable to verify the first certificate > verify return:1 > > This is what I get when I replace tls_ca_file with the intermediate > certficiate: > [EMAIL PROTECTED] certs]# openssl s_client -connect imap:993 > CONNECTED(0003) > depth=2 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, > Inc./CN=GTE CyberTrust Global Root > verify error:num=19:self signed certificate in certificate chain > verify return:0 > --- > > Thank you so much for your suggestions. What is the actual problem you are trying to solve? I have an SSL certificate signed by Thawte that I am using with Cyrus IMAP. It gives me the same messages as you when I use "openssl s_client" against it, but everything is working fine for me. Sorry if I missed earlier parts of this thread. Andy Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
