Dovecot 2.3.0 TLS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Dovecot 2.3.0 TLS

Hauke Fath
All,

our dovecot installation provides a bundle of intermedia CA
certificates using the ssl_ca option.

2.3.0 does not supply the bundle, resulting in various clients either
complaining about an unverifiable server cert, or quietly not
connecting. The log has

Jan  5 17:01:46 Bounce dovecot: imap-login: Disconnected (no auth
attempts in 0 secs): user=<>, rip=XXX, lip=YYY, TLS handshaking:
SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown: SSL alert number 46,
session=<uKK/kAlia+GCUyU5>

We fixed the issue by downgrading to 2.2.33.2.

Cheerio,
hauke

--
     The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email            Institut für Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
     Respect for open standards              Ruf +49-6151-16-21344
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Aki Tuomi-2


On 11.01.2018 12:18, Hauke Fath wrote:

> All,
>
> our dovecot installation provides a bundle of intermedia CA
> certificates using the ssl_ca option.
>
> 2.3.0 does not supply the bundle, resulting in various clients either
> complaining about an unverifiable server cert, or quietly not
> connecting. The log has
>
> Jan  5 17:01:46 Bounce dovecot: imap-login: Disconnected (no auth
> attempts in 0 secs): user=<>, rip=XXX, lip=YYY, TLS handshaking:
> SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
> alert certificate unknown: SSL alert number 46,
> session=<uKK/kAlia+GCUyU5>
>
> We fixed the issue by downgrading to 2.2.33.2.
>
> Cheerio,
> hauke
>

Was the certificate path bundled in the server certificate?

Aki
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Hauke Fath
On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote:
> Was the certificate path bundled in the server certificate?

No, as a separate file, provided from the local (intermediate) CA:

ssl_cert = </etc/openssl/certs/server.cert
ssl_key = </etc/openssl/private/server.key
ssl_ca = </etc/openssl/certs/ca-cert-chain.pem

Worked fine with 2.2.x, 2.3 gives

% openssl s_client -connect XXX:993
CONNECTED(00000006)
depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
   i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
Darmstadt/CN=TUD CA G01/emailAddress=[hidden email]
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
%

--
     The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email            Institut für Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
     Respect for open standards              Ruf +49-6151-16-21344
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Aki Tuomi-2


On 11.01.2018 13:20, Hauke Fath wrote:

> On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote:
>> Was the certificate path bundled in the server certificate?
> No, as a separate file, provided from the local (intermediate) CA:
>
> ssl_cert = </etc/openssl/certs/server.cert
> ssl_key = </etc/openssl/private/server.key
> ssl_ca = </etc/openssl/certs/ca-cert-chain.pem
>
> Worked fine with 2.2.x, 2.3 gives
>
> % openssl s_client -connect XXX:993
> CONNECTED(00000006)
> depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
> Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
> Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
> Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
>    i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
> Darmstadt/CN=TUD CA G01/emailAddress=[hidden email]
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> [...]
> %
>

Seems we might've made a unexpected change here when we revamped the ssl
code. Can you try if it works if you concatenate the cert and cert-chain
to single file? We'll start looking if this is misunderstanding or bug.

Aki
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Hauke Fath
On Thu, 11 Jan 2018 13:22:07 +0200, Aki Tuomi wrote:
> Can you try if it works if you concatenate the cert and cert-chain
> to single file? We'll start looking if this is misunderstanding or bug.

This is a production machine, so I would rather stick with the
downgrade until you've looked into the issue. I went home late
yesterday.  ;)

Cheerio,
Hauke

--
     The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email            Institut für Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
     Respect for open standards              Ruf +49-6151-16-21344
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Aki Tuomi-2


On 11.01.2018 13:28, Hauke Fath wrote:

> On Thu, 11 Jan 2018 13:22:07 +0200, Aki Tuomi wrote:
>> Can you try if it works if you concatenate the cert and cert-chain
>> to single file? We'll start looking if this is misunderstanding or bug.
> This is a production machine, so I would rather stick with the
> downgrade until you've looked into the issue. I went home late
> yesterday.  ;)
>
> Cheerio,
> Hauke
>

Fine. You might want to invest into a test environment, by the way. It's
far more safe to try out new major releases and stuff. =)

Aki
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Hauke Fath
On Thu, 11 Jan 2018 13:29:02 +0200, Aki Tuomi wrote:
> You might want to invest into a test environment, by the way. It's
> far more safe to try out new major releases and stuff. =)

Fair enough.

With SSL certs, this gets a bit involved, though. This is a small site
with a few dozen users, so I have a bit of flexibility. And in the
present case a test bed wouldn't have saved me: The first reports came
in a week after roll-out, mainly from users of android clients. I don't
know if the desktop clients cache the intermediate certs, or if they
just don't care.

Cheerio,
hauke

--
     The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email            Institut für Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
     Respect for open standards              Ruf +49-6151-16-21344
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Olaf Hopp
In reply to this post by Aki Tuomi-2
On 01/11/2018 12:22 PM, Aki Tuomi wrote:

>
>
> On 11.01.2018 13:20, Hauke Fath wrote:
>> On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote:
>>> Was the certificate path bundled in the server certificate?
>> No, as a separate file, provided from the local (intermediate) CA:
>>
>> ssl_cert = </etc/openssl/certs/server.cert
>> ssl_key = </etc/openssl/private/server.key
>> ssl_ca = </etc/openssl/certs/ca-cert-chain.pem
>>
>> Worked fine with 2.2.x, 2.3 gives
>>
>> % openssl s_client -connect XXX:993
>> CONNECTED(00000006)
>> depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
>> Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
>> Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>> ---
>> Certificate chain
>>   0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
>> Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
>>     i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
>> Darmstadt/CN=TUD CA G01/emailAddress=[hidden email]
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> [...]
>> %
>>
>
> Seems we might've made a unexpected change here when we revamped the ssl
> code. Can you try if it works if you concatenate the cert and cert-chain
> to single file? We'll start looking if this is misunderstanding or bug.
>
> Aki
>
Hello,
let me confirm this issue.
I have a setup similar to Hauke Fath. Doing the workaround suggested by Aki

      cat /etc/openssl/certs/ca-cert-chain.pem >> /etc/openssl/certs/server.cert

and removing "ssl_ca" from the config file presents the correct CA-Chain.
Whereas the original config presented my three time my own server cert as chain.


Since server certs tend to change more frequent than the CA chains
I really want to keep them in separate files.

So this is really a show stopper for me.

CU, Olaf




--
Karlsruher Institut für Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik

Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: [hidden email]
atis.informatik.kit.edu

www.kit.edu

KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.



smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Odhiambo Washington-4
In reply to this post by Aki Tuomi-2


On 11 January 2018 at 14:29, Aki Tuomi <[hidden email]> wrote:


On 11.01.2018 13:28, Hauke Fath wrote:
> On Thu, 11 Jan 2018 13:22:07 +0200, Aki Tuomi wrote:
>> Can you try if it works if you concatenate the cert and cert-chain
>> to single file? We'll start looking if this is misunderstanding or bug.
> This is a production machine, so I would rather stick with the
> downgrade until you've looked into the issue. I went home late
> yesterday.  ;)
>
> Cheerio,
> Hauke
>

Fine. You might want to invest into a test environment, by the way. It's
far more safe to try out new major releases and stuff. =)

Aki

...and I am still unable to successfully compile 2.3RC on FreeBSD 8.4 and 9.3
....and my reports were ignored, so should I assume support for those has been dropped?




--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Matthias Fechner
Dear Odhiambo,

Am 22.01.2018 um 19:58 schrieb Odhiambo Washington:
...and I am still unable to successfully compile 2.3RC on FreeBSD 8.4 and 9.3
....and my reports were ignored, so should I assume support for those has been dropped?

Support for FreeBSD 8.4 stopped August 1, 2015.
Support for FreeBSD 9.3 stopped December 31, 2016

Please see here:
https://www.freebsd.org/security/unsupported.html

You should really upgrade to current version 10.4 or 11.1.

Gruß
Matthias

-- 

"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Odhiambo Washington-4


On 22 January 2018 at 23:10, Matthias Fechner <[hidden email]> wrote:
Dear Odhiambo,

Am 22.01.2018 um 19:58 schrieb Odhiambo Washington:
...and I am still unable to successfully compile 2.3RC on FreeBSD 8.4 and 9.3
....and my reports were ignored, so should I assume support for those has been dropped?

Support for FreeBSD 8.4 stopped August 1, 2015.
Support for FreeBSD 9.3 stopped December 31, 2016

Please see here:
https://www.freebsd.org/security/unsupported.html

You should really upgrade to current version 10.4 or 11.1.

Gruß
Matthias

Hello Matthias,

I am running the latest version of Dovecot on FreeBSD 8.4, 9.3 and 11.
I am not really planning to upgrade now, unless I am told that Dovecot 2.3.x will not compile on them. In which case I can let them run the version they have and forget about 2.3.
Until I hear such from Aki or Timo, I will wait :-)

 



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Aki Tuomi-2



On 22.01.2018 22:14, Odhiambo Washington wrote:


On 22 January 2018 at 23:10, Matthias Fechner <[hidden email]> wrote:
Dear Odhiambo,

Am 22.01.2018 um 19:58 schrieb Odhiambo Washington:
...and I am still unable to successfully compile 2.3RC on FreeBSD 8.4 and 9.3
....and my reports were ignored, so should I assume support for those has been dropped?

Support for FreeBSD 8.4 stopped August 1, 2015.
Support for FreeBSD 9.3 stopped December 31, 2016

Please see here:
https://www.freebsd.org/security/unsupported.html

You should really upgrade to current version 10.4 or 11.1.

Gruß
Matthias

              
Hello Matthias,

I am running the latest version of Dovecot on FreeBSD 8.4, 9.3 and 11.
I am not really planning to upgrade now, unless I am told that Dovecot 2.3.x will not compile on them. In which case I can let them run the version they have and forget about 2.3.
Until I hear such from Aki or Timo, I will wait :-)

 



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."

Have you tried compiling latest 2.3.0 instead of RC?

Aki
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Odhiambo Washington-4


On 23 January 2018 at 10:35, Aki Tuomi <[hidden email]> wrote:



On 22.01.2018 22:14, Odhiambo Washington wrote:


On 22 January 2018 at 23:10, Matthias Fechner <[hidden email]> wrote:
Dear Odhiambo,

Am 22.01.2018 um 19:58 schrieb Odhiambo Washington:
...and I am still unable to successfully compile 2.3RC on FreeBSD 8.4 and 9.3
....and my reports were ignored, so should I assume support for those has been dropped?

Support for FreeBSD 8.4 stopped August 1, 2015.
Support for FreeBSD 9.3 stopped December 31, 2016

Please see here:
https://www.freebsd.org/security/unsupported.html

You should really upgrade to current version 10.4 or 11.1.

Gruß
Matthias

              
Hello Matthias,

I am running the latest version of Dovecot on FreeBSD 8.4, 9.3 and 11.
I am not really planning to upgrade now, unless I am told that Dovecot 2.3.x will not compile on them. In which case I can let them run the version they have and forget about 2.3.
Until I hear such from Aki or Timo, I will wait :-)

 



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."

Have you tried compiling latest 2.3.0 instead of RC?

Aki

Hello Aki,

I didn't even know that 2.3 was released. After the disappointment with the RC, I kinda got withdrawn.
I have just tested the 2.3 release and it compiles successfully on all my servers.

Thank you.


--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Arkadiusz Miśkiewicz
In reply to this post by Aki Tuomi-2
On Thursday 11 of January 2018, Aki Tuomi wrote:

> Seems we might've made a unexpected change here when we revamped the ssl
> code.

Revamped, interesting, can it support milions certs now on single machine? (so
are certs loaded by demand and not wasting memory)

> Aki


--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Aki Tuomi-2

> On January 23, 2018 at 7:09 PM Arkadiusz Miśkiewicz <[hidden email]> wrote:
>
>
> On Thursday 11 of January 2018, Aki Tuomi wrote:
>
> > Seems we might've made a unexpected change here when we revamped the ssl
> > code.
>
> Revamped, interesting, can it support milions certs now on single machine? (so
> are certs loaded by demand and not wasting memory)
>
> > Aki
>
>
> --
> Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Unfortunately not. This time round it was about putting the ssl code mostly in one place, so that we use same code for all SSL connections.

Aki
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Mark Moseley
On Tue, Jan 23, 2018 at 10:05 AM, Aki Tuomi <[hidden email]> wrote:

> On January 23, 2018 at 7:09 PM Arkadiusz Miśkiewicz <[hidden email]> wrote:
>
>
> On Thursday 11 of January 2018, Aki Tuomi wrote:
>
> > Seems we might've made a unexpected change here when we revamped the ssl
> > code.
>
> Revamped, interesting, can it support milions certs now on single machine? (so
> are certs loaded by demand and not wasting memory)
>
> > Aki
>
>
> --
> Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Unfortunately not. This time round it was about putting the ssl code mostly in one place, so that we use same code for all SSL connections.



Just to chime in, having some way of supporting SSL certs dynamically would be tremendously useful. Like splitting out the retrieval of certs/key to a socket, that would typically just be a built-in regular dovecot service ("go and get the certs that are configured in dovecot configs"), but could also be a custom unix listener that could return certs/keys. Dovecot would send in the local IP/port and/or SNI name (if there was one) to the socket and then use whatever comes back. A perl/python/etc script doing the unix listener could then grab the appropriate cert/key from wherever (and dovecot would presumably have a time-based cache for certs/keys).  This is just wish-listing :)

Currently, I've got a million different domains on my dovecot boxes, so allowing them all to use per-domain SSL is a bit challenging. I've been searching for an SSL proxy that supports something like nginx/openresty's "ssl_certificate_by_lua_file" (and can communicate the remote IP to dovecot like haproxy does) to put in front of dovecot, to no avail. Having something like that built directly into dovecot would be a dream -- or that can at least farm that functionality out to a custom daemon).