Bug 173179
| Summary: | Can not connect to a dovecot server in IMAPS mode anymore | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nicolas Mailhot <nicolas.mailhot> |
| Component: | squirrelmail | Assignee: | Warren Togami <wtogami> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | jdennis, tmraz, wtogami |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-12-01 18:34:39 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 150221 | ||
|
Description
Nicolas Mailhot
2005-11-14 19:43:02 UTC
What happens when you run: openssl s_client -connect hostname:imaps BTW evo works on the smae server so the problem looks SM-specific
[nim@rousalka ~]$ openssl s_client -connect rousalka.dyndns.org:imaps
CONNECTED(00000003)
depth=0 /C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=imap/CN=rousalka.dyndns.org
/emailAddress=nicolas.mailhot
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=imap/CN=rousalka.dyndns.org
/emailAddress=nicolas.mailhot
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=imap/CN=rousalka.dyndns.org
/emailAddress=nicolas.mailhot
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=imap/CN=rousalka.dyndns.org/em
ailAddress=nicolas.mailhot
i:/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/CN=rousalka.dyndns.org/emailAddre
ss=nicolas.mailhot
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE0DCCA7igAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCRlIx
FjAUBgNVBAgMDUlsZS1kZS1GcmFuY2UxDjAMBgNVBAcMBVBhcmlzMREwDwYDVQQK
DAhSb3VzYWxrYTEcMBoGA1UEAwwTcm91c2Fsa2EuZHluZG5zLm9yZzEqMCgGCSqG
SIb3DQEJARYbbmljb2xhcy5tYWlsaG90QGxhcG9zdGUubmV0MB4XDTA1MDYxMjEx
MzgzM1oXDTA2MDYxMjExMzgzM1owgaExCzAJBgNVBAYTAkZSMRYwFAYDVQQIDA1J
bGUtZGUtRnJhbmNlMQ4wDAYDVQQHDAVQYXJpczERMA8GA1UECgwIUm91c2Fsa2Ex
DTALBgNVBAsMBGltYXAxHDAaBgNVBAMME3JvdXNhbGthLmR5bmRucy5vcmcxKjAo
BgkqhkiG9w0BCQEWG25pY29sYXMubWFpbGhvdEBsYXBvc3RlLm5ldDCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdcqjTbawtqON2NFzq2e+aqNiNPqWId
romrNAAEA5EJpgf9Rz7tMc+ctQ7OyjbJd+PpgkuvPRA7fmXDOMD0LGPAqRljXInh
MZEXcKUcOcUB/CkCoxIvkQDvOvIGwPZPHbYo47C518KZVYfiPnEqpbC9YcegeyHj
etN9XCZwq9IEetXJioINv7qnv/jInihkSj3UdzAAOyrZW5y+5KinIvTsCpfU5ejd
s/mpOnsVXMNNPR9BYCrYuNw5vLgKz/hnqgOOt0X3cUlo5CN88VUJAifgKm13FZvQ
9txW2xG0DDdGlLad9ulJJN9EwXiV2+S1mIrPA6pRrE+dFK60zKbHQbcCAwEAAaOC
AR4wggEaMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJh
dGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTp6wb+c4fIGsJINMXu975/XNfwAjCB
vwYDVR0jBIG3MIG0gBTflTMynd5QlL2I+WpKZPw8u73ER6GBmKSBlTCBkjELMAkG
A1UEBhMCRlIxFjAUBgNVBAgMDUlsZS1kZS1GcmFuY2UxDjAMBgNVBAcMBVBhcmlz
MREwDwYDVQQKDAhSb3VzYWxrYTEcMBoGA1UEAwwTcm91c2Fsa2EuZHluZG5zLm9y
ZzEqMCgGCSqGSIb3DQEJARYbbmljb2xhcy5tYWlsaG90QGxhcG9zdGUubmV0ggEA
MA0GCSqGSIb3DQEBBAUAA4IBAQChr1adcPISOkWjNRpmY82I9dFNAVlBxaWr9pTX
Ks24r3wTnfoIIt1YxfR8+yqHjDNQmoasuXSAB4DaojGFfmZ5bb4i7rZ5K9T3X1B/
jJTJwAQPgdp4BwC+vhNa19DiSgwXG0dv0C2SYdh2Vx+Wj4Ys0ibDIKf85x1nbKk7
/UNcOmjwEHXCJ5up/IL6EFjBbgsh2AWoDjrrONecQWt0nzVN45Zxw9Cd2i/kx18L
yWRBSYF8whFY4PKJD7J1FTgplx2TK/Xjad+cDuTDGTXiAPgJQr1Et6p+jtIacgZc
nyjZbCJ3Pb6H8mLmNt2PQ4L28d2JapYd28ZXD0T1STvY17sL
-----END CERTIFICATE-----
subject=/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=imap/CN=rousalka.dyndns.org
/emailAddress=nicolas.mailhot
issuer=/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/CN=rousalka.dyndns.org/emailAdd
ress=nicolas.mailhot
---
No client certificate CA names sent
---
SSL handshake has read 1398 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: E55C6ABFF54E037D16500B0A52DF0EDBDEA33148CDCB41794A4E5DF31F5AC17C
Session-ID-ctx:
Master-Key: F19F2BD3A910B9620FF4105AE46B4A1A7481A3A50681C4D5515B0EF8AF9EB116
97B9C26DAA6C0A6564E6CED37A544CA7
Key-Arg : None
Krb5 Principal: None
Start Time: 1131998673
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
* OK dovecot ready.
The error is: ERROR: Connection dropped by IMAP server. SM worked in this config the 4th, broke between this date and today Its conf didn't change squirrelmail-20051114_0000-CVS produces the same result Changing to imap works but is not a long-term solution (BTW care to take a peek at bug #162852 before FC5 ?) Well from the SSL point of view there is nothing special with the connection. The issuer of the server certificate is not trusted by the s_client but otherwise everything seems to work fine. I suppose PHP's or SM imaps code is not too robust and didn't like one bit of the SSL bump It's still a regression though :( Looks like an ssl issue, so I'm going to drop off the cc list ... feel free to add me back if you find something implicating the mysql update ... I have not had an opportunity to examine the error messages in detail, but if in fact the problem is the certificate is not trusted by the client then that might very well be because the SSL certificates installed by default with dovecot are self-signed. Unless some OpenSSL option changed to make trust mandatory this should not be the problem The client configuration and the certificate haven't changed for months. The only bit that changed is the openssl/dovecot update The s_client output shows that the certificate is not self signed. Not that it ever made a difference in the past, but where am I supposed to drop the certificates (*.crt) in /etc/pki to get them recognized by openssl ? Will it change SM behaviour ? Put the CA certificate in PEM format at the end of the
/etc/pki/tls/certs/ca-bundle.crt file.
> Will it change SM behaviour ?
Most probably not.
(In reply to comment #11) > Put the CA certificate in PEM format at the end of the > /etc/pki/tls/certs/ca-bundle.crt file. This does not seem to work. Am I missing something ? The same cert is accepted by evo as a CA Just for the feelgood factor, with explicit CApath it works :
[nim@rousalka tls]$ openssl s_client -CApath /etc/pki/tls/certs/ -connect
rousalka.dyndns.org:imaps
CONNECTED(00000003)
depth=1
/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot
verify return:1
depth=0 /C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=IMAP
server/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot
verify return:1
---
Certificate chain
0 s:/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=IMAP
server/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot
i:/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE1zCCA7+gAwIBAgIBBDANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCRlIx
FjAUBgNVBAgMDUlsZS1kZS1GcmFuY2UxDjAMBgNVBAcMBVBhcmlzMREwDwYDVQQK
DAhSb3VzYWxrYTEcMBoGA1UEAwwTcm91c2Fsa2EuZHluZG5zLm9yZzEqMCgGCSqG
SIb3DQEJARYbbmljb2xhcy5tYWlsaG90QGxhcG9zdGUubmV0MB4XDTA1MTExNTIw
MzAzOFoXDTA2MTExNTIwMzAzOFowgagxCzAJBgNVBAYTAkZSMRYwFAYDVQQIDA1J
bGUtZGUtRnJhbmNlMQ4wDAYDVQQHDAVQYXJpczERMA8GA1UECgwIUm91c2Fsa2Ex
FDASBgNVBAsMC0lNQVAgc2VydmVyMRwwGgYDVQQDDBNyb3VzYWxrYS5keW5kbnMu
b3JnMSowKAYJKoZIhvcNAQkBFhtuaWNvbGFzLm1haWxob3RAbGFwb3N0ZS5uZXQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxNNntDFeza2xsMxe1FiuG
Olx/RkRf1Znx7G0tTKAHFzEGwym15RK+cR+gU420o+mWLf68bGhC8qFk44Jcjy0m
AzCSlUqqtrKfoAX9E/eJFDCy/anWhnZU5eO2M5oh3K6heK96BSTN74nWRLHGmWAA
AVYb7Mw+jIUhHlSS9ZyXSu3hOkiDNIPtdaD9vzBaoLZMYAt67sUETIxc7FkMv2HP
T0hjr0ay/ULnKxM3J3hYCe4MqB0+dESff6bYehhAo8l1mczJAiivZ/QM7T3/QYBx
9YrGFnUimLCVD2EJThTVzoGrMxbBsFEaIG5nLxemEC22xTRR8puyF87jFVeJ/eT3
AgMBAAGjggEeMIIBGjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVKMiuambpycRwKcEPXH3
zSy50g0wgb8GA1UdIwSBtzCBtIAU35UzMp3eUJS9iPlqSmT8PLu9xEehgZikgZUw
gZIxCzAJBgNVBAYTAkZSMRYwFAYDVQQIDA1JbGUtZGUtRnJhbmNlMQ4wDAYDVQQH
DAVQYXJpczERMA8GA1UECgwIUm91c2Fsa2ExHDAaBgNVBAMME3JvdXNhbGthLmR5
bmRucy5vcmcxKjAoBgkqhkiG9w0BCQEWG25pY29sYXMubWFpbGhvdEBsYXBvc3Rl
Lm5ldIIBADANBgkqhkiG9w0BAQQFAAOCAQEAKBw3FUj+z/zmKL1bXxDTYrYndI//
qNcGZ5ZI4UprhPXB9M0wANZ+3i7L2s8RX4rcgS3yu2y98Xx7Dlzf5xly5ET2jK6H
s9L8cV4YGOfL+9GNzUGqlD/FEXbMNGmREsUwXUKcgzONn1QcLZHMzDVeljUyfenM
b8tJasqEKu1d+rvlD0IAlURr6p+dBqyrSmLhWNpjuMAGZvKTU+R5mLH+zbMF51uL
VmEwcIcxCMGLSxCSVsiH8E3bjHDWMhA50YgkB0IST8dGgMkQI7j9lMOccSehWVxz
HuiziYQbPJLbAM+oxdmQHPc8mTiQ5sC4Ub9vejt0p1678X0fCkcir8+1jg==
-----END CERTIFICATE-----
subject=/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=IMAP
server/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot
issuer=/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot
---
No client certificate CA names sent
---
SSL handshake has read 1405 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: F8FE04858F63402DF2E869C63A259E4F95CA646AD6D02AD2C21335F7143AE959
Session-ID-ctx:
Master-Key:
ECFBE472938F3D0E5AB487B60269B10CC034A78DF2C7F0A6FCF36E3B0A551878EE179A1304357D99A920690BD5681184
Key-Arg : None
Krb5 Principal: None
Start Time: 1132088234
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* OK dovecot ready.
And I can confirm it does not change a bit for SM Could you please try openssl-0.9.8a-3 after it is released? There is some workaround for buggy compression in OpenSSL. retesting today (sorry for the delay, FC5t1 pushed on me more blocking bugs) with openssl-0.9.8a-4 SM works agains, so it was a problem in opnssl fixed since |