Dovecot 2.3.0 TLS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Dovecot 2.3.0 TLS

Hauke Fath
All,

our dovecot installation provides a bundle of intermedia CA
certificates using the ssl_ca option.

2.3.0 does not supply the bundle, resulting in various clients either
complaining about an unverifiable server cert, or quietly not
connecting. The log has

Jan  5 17:01:46 Bounce dovecot: imap-login: Disconnected (no auth
attempts in 0 secs): user=<>, rip=XXX, lip=YYY, TLS handshaking:
SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown: SSL alert number 46,
session=<uKK/kAlia+GCUyU5>

We fixed the issue by downgrading to 2.2.33.2.

Cheerio,
hauke

--
     The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email            Institut für Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
     Respect for open standards              Ruf +49-6151-16-21344
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Aki Tuomi-2


On 11.01.2018 12:18, Hauke Fath wrote:

> All,
>
> our dovecot installation provides a bundle of intermedia CA
> certificates using the ssl_ca option.
>
> 2.3.0 does not supply the bundle, resulting in various clients either
> complaining about an unverifiable server cert, or quietly not
> connecting. The log has
>
> Jan  5 17:01:46 Bounce dovecot: imap-login: Disconnected (no auth
> attempts in 0 secs): user=<>, rip=XXX, lip=YYY, TLS handshaking:
> SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
> alert certificate unknown: SSL alert number 46,
> session=<uKK/kAlia+GCUyU5>
>
> We fixed the issue by downgrading to 2.2.33.2.
>
> Cheerio,
> hauke
>

Was the certificate path bundled in the server certificate?

Aki
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Hauke Fath
On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote:
> Was the certificate path bundled in the server certificate?

No, as a separate file, provided from the local (intermediate) CA:

ssl_cert = </etc/openssl/certs/server.cert
ssl_key = </etc/openssl/private/server.key
ssl_ca = </etc/openssl/certs/ca-cert-chain.pem

Worked fine with 2.2.x, 2.3 gives

% openssl s_client -connect XXX:993
CONNECTED(00000006)
depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
   i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
Darmstadt/CN=TUD CA G01/emailAddress=[hidden email]
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
%

--
     The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email            Institut für Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
     Respect for open standards              Ruf +49-6151-16-21344
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Aki Tuomi-2


On 11.01.2018 13:20, Hauke Fath wrote:

> On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote:
>> Was the certificate path bundled in the server certificate?
> No, as a separate file, provided from the local (intermediate) CA:
>
> ssl_cert = </etc/openssl/certs/server.cert
> ssl_key = </etc/openssl/private/server.key
> ssl_ca = </etc/openssl/certs/ca-cert-chain.pem
>
> Worked fine with 2.2.x, 2.3 gives
>
> % openssl s_client -connect XXX:993
> CONNECTED(00000006)
> depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
> Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
> Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
> Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
>    i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
> Darmstadt/CN=TUD CA G01/emailAddress=[hidden email]
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> [...]
> %
>

Seems we might've made a unexpected change here when we revamped the ssl
code. Can you try if it works if you concatenate the cert and cert-chain
to single file? We'll start looking if this is misunderstanding or bug.

Aki
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Hauke Fath
On Thu, 11 Jan 2018 13:22:07 +0200, Aki Tuomi wrote:
> Can you try if it works if you concatenate the cert and cert-chain
> to single file? We'll start looking if this is misunderstanding or bug.

This is a production machine, so I would rather stick with the
downgrade until you've looked into the issue. I went home late
yesterday.  ;)

Cheerio,
Hauke

--
     The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email            Institut für Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
     Respect for open standards              Ruf +49-6151-16-21344
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Aki Tuomi-2


On 11.01.2018 13:28, Hauke Fath wrote:

> On Thu, 11 Jan 2018 13:22:07 +0200, Aki Tuomi wrote:
>> Can you try if it works if you concatenate the cert and cert-chain
>> to single file? We'll start looking if this is misunderstanding or bug.
> This is a production machine, so I would rather stick with the
> downgrade until you've looked into the issue. I went home late
> yesterday.  ;)
>
> Cheerio,
> Hauke
>

Fine. You might want to invest into a test environment, by the way. It's
far more safe to try out new major releases and stuff. =)

Aki
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot 2.3.0 TLS

Hauke Fath
On Thu, 11 Jan 2018 13:29:02 +0200, Aki Tuomi wrote:
> You might want to invest into a test environment, by the way. It's
> far more safe to try out new major releases and stuff. =)

Fair enough.

With SSL certs, this gets a bit involved, though. This is a small site
with a few dozen users, so I have a bit of flexibility. And in the
present case a test bed wouldn't have saved me: The first reports came
in a week after roll-out, mainly from users of android clients. I don't
know if the desktop clients cache the intermediate certs, or if they
just don't care.

Cheerio,
hauke

--
     The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email            Institut für Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
     Respect for open standards              Ruf +49-6151-16-21344