Bug 173179
Summary: | Can not connect to a dovecot server in IMAPS mode anymore | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Nicolas Mailhot <nicolas.mailhot> |
Component: | squirrelmail | Assignee: | Warren Togami <wtogami> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | jdennis, tmraz, wtogami |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-12-01 18:34:39 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 150221 |
Description
Nicolas Mailhot
2005-11-14 19:43:02 UTC
What happens when you run: openssl s_client -connect hostname:imaps BTW evo works on the smae server so the problem looks SM-specific [nim@rousalka ~]$ openssl s_client -connect rousalka.dyndns.org:imaps CONNECTED(00000003) depth=0 /C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=imap/CN=rousalka.dyndns.org /emailAddress=nicolas.mailhot verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=imap/CN=rousalka.dyndns.org /emailAddress=nicolas.mailhot verify error:num=27:certificate not trusted verify return:1 depth=0 /C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=imap/CN=rousalka.dyndns.org /emailAddress=nicolas.mailhot verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=imap/CN=rousalka.dyndns.org/em ailAddress=nicolas.mailhot i:/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/CN=rousalka.dyndns.org/emailAddre ss=nicolas.mailhot --- Server certificate -----BEGIN CERTIFICATE----- MIIE0DCCA7igAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCRlIx FjAUBgNVBAgMDUlsZS1kZS1GcmFuY2UxDjAMBgNVBAcMBVBhcmlzMREwDwYDVQQK DAhSb3VzYWxrYTEcMBoGA1UEAwwTcm91c2Fsa2EuZHluZG5zLm9yZzEqMCgGCSqG SIb3DQEJARYbbmljb2xhcy5tYWlsaG90QGxhcG9zdGUubmV0MB4XDTA1MDYxMjEx MzgzM1oXDTA2MDYxMjExMzgzM1owgaExCzAJBgNVBAYTAkZSMRYwFAYDVQQIDA1J bGUtZGUtRnJhbmNlMQ4wDAYDVQQHDAVQYXJpczERMA8GA1UECgwIUm91c2Fsa2Ex DTALBgNVBAsMBGltYXAxHDAaBgNVBAMME3JvdXNhbGthLmR5bmRucy5vcmcxKjAo BgkqhkiG9w0BCQEWG25pY29sYXMubWFpbGhvdEBsYXBvc3RlLm5ldDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdcqjTbawtqON2NFzq2e+aqNiNPqWId romrNAAEA5EJpgf9Rz7tMc+ctQ7OyjbJd+PpgkuvPRA7fmXDOMD0LGPAqRljXInh MZEXcKUcOcUB/CkCoxIvkQDvOvIGwPZPHbYo47C518KZVYfiPnEqpbC9YcegeyHj etN9XCZwq9IEetXJioINv7qnv/jInihkSj3UdzAAOyrZW5y+5KinIvTsCpfU5ejd s/mpOnsVXMNNPR9BYCrYuNw5vLgKz/hnqgOOt0X3cUlo5CN88VUJAifgKm13FZvQ 9txW2xG0DDdGlLad9ulJJN9EwXiV2+S1mIrPA6pRrE+dFK60zKbHQbcCAwEAAaOC AR4wggEaMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJh dGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTp6wb+c4fIGsJINMXu975/XNfwAjCB vwYDVR0jBIG3MIG0gBTflTMynd5QlL2I+WpKZPw8u73ER6GBmKSBlTCBkjELMAkG A1UEBhMCRlIxFjAUBgNVBAgMDUlsZS1kZS1GcmFuY2UxDjAMBgNVBAcMBVBhcmlz MREwDwYDVQQKDAhSb3VzYWxrYTEcMBoGA1UEAwwTcm91c2Fsa2EuZHluZG5zLm9y ZzEqMCgGCSqGSIb3DQEJARYbbmljb2xhcy5tYWlsaG90QGxhcG9zdGUubmV0ggEA MA0GCSqGSIb3DQEBBAUAA4IBAQChr1adcPISOkWjNRpmY82I9dFNAVlBxaWr9pTX Ks24r3wTnfoIIt1YxfR8+yqHjDNQmoasuXSAB4DaojGFfmZ5bb4i7rZ5K9T3X1B/ jJTJwAQPgdp4BwC+vhNa19DiSgwXG0dv0C2SYdh2Vx+Wj4Ys0ibDIKf85x1nbKk7 /UNcOmjwEHXCJ5up/IL6EFjBbgsh2AWoDjrrONecQWt0nzVN45Zxw9Cd2i/kx18L yWRBSYF8whFY4PKJD7J1FTgplx2TK/Xjad+cDuTDGTXiAPgJQr1Et6p+jtIacgZc nyjZbCJ3Pb6H8mLmNt2PQ4L28d2JapYd28ZXD0T1STvY17sL -----END CERTIFICATE----- subject=/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=imap/CN=rousalka.dyndns.org /emailAddress=nicolas.mailhot issuer=/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/CN=rousalka.dyndns.org/emailAdd ress=nicolas.mailhot --- No client certificate CA names sent --- SSL handshake has read 1398 bytes and written 468 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: E55C6ABFF54E037D16500B0A52DF0EDBDEA33148CDCB41794A4E5DF31F5AC17C Session-ID-ctx: Master-Key: F19F2BD3A910B9620FF4105AE46B4A1A7481A3A50681C4D5515B0EF8AF9EB116 97B9C26DAA6C0A6564E6CED37A544CA7 Key-Arg : None Krb5 Principal: None Start Time: 1131998673 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- * OK dovecot ready. The error is: ERROR: Connection dropped by IMAP server. SM worked in this config the 4th, broke between this date and today Its conf didn't change squirrelmail-20051114_0000-CVS produces the same result Changing to imap works but is not a long-term solution (BTW care to take a peek at bug #162852 before FC5 ?) Well from the SSL point of view there is nothing special with the connection. The issuer of the server certificate is not trusted by the s_client but otherwise everything seems to work fine. I suppose PHP's or SM imaps code is not too robust and didn't like one bit of the SSL bump It's still a regression though :( Looks like an ssl issue, so I'm going to drop off the cc list ... feel free to add me back if you find something implicating the mysql update ... I have not had an opportunity to examine the error messages in detail, but if in fact the problem is the certificate is not trusted by the client then that might very well be because the SSL certificates installed by default with dovecot are self-signed. Unless some OpenSSL option changed to make trust mandatory this should not be the problem The client configuration and the certificate haven't changed for months. The only bit that changed is the openssl/dovecot update The s_client output shows that the certificate is not self signed. Not that it ever made a difference in the past, but where am I supposed to drop the certificates (*.crt) in /etc/pki to get them recognized by openssl ? Will it change SM behaviour ? Put the CA certificate in PEM format at the end of the
/etc/pki/tls/certs/ca-bundle.crt file.
> Will it change SM behaviour ?
Most probably not.
(In reply to comment #11) > Put the CA certificate in PEM format at the end of the > /etc/pki/tls/certs/ca-bundle.crt file. This does not seem to work. Am I missing something ? The same cert is accepted by evo as a CA Just for the feelgood factor, with explicit CApath it works : [nim@rousalka tls]$ openssl s_client -CApath /etc/pki/tls/certs/ -connect rousalka.dyndns.org:imaps CONNECTED(00000003) depth=1 /C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot verify return:1 depth=0 /C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=IMAP server/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot verify return:1 --- Certificate chain 0 s:/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=IMAP server/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot i:/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot --- Server certificate -----BEGIN CERTIFICATE----- MIIE1zCCA7+gAwIBAgIBBDANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCRlIx FjAUBgNVBAgMDUlsZS1kZS1GcmFuY2UxDjAMBgNVBAcMBVBhcmlzMREwDwYDVQQK DAhSb3VzYWxrYTEcMBoGA1UEAwwTcm91c2Fsa2EuZHluZG5zLm9yZzEqMCgGCSqG SIb3DQEJARYbbmljb2xhcy5tYWlsaG90QGxhcG9zdGUubmV0MB4XDTA1MTExNTIw MzAzOFoXDTA2MTExNTIwMzAzOFowgagxCzAJBgNVBAYTAkZSMRYwFAYDVQQIDA1J bGUtZGUtRnJhbmNlMQ4wDAYDVQQHDAVQYXJpczERMA8GA1UECgwIUm91c2Fsa2Ex FDASBgNVBAsMC0lNQVAgc2VydmVyMRwwGgYDVQQDDBNyb3VzYWxrYS5keW5kbnMu b3JnMSowKAYJKoZIhvcNAQkBFhtuaWNvbGFzLm1haWxob3RAbGFwb3N0ZS5uZXQw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxNNntDFeza2xsMxe1FiuG Olx/RkRf1Znx7G0tTKAHFzEGwym15RK+cR+gU420o+mWLf68bGhC8qFk44Jcjy0m AzCSlUqqtrKfoAX9E/eJFDCy/anWhnZU5eO2M5oh3K6heK96BSTN74nWRLHGmWAA AVYb7Mw+jIUhHlSS9ZyXSu3hOkiDNIPtdaD9vzBaoLZMYAt67sUETIxc7FkMv2HP T0hjr0ay/ULnKxM3J3hYCe4MqB0+dESff6bYehhAo8l1mczJAiivZ/QM7T3/QYBx 9YrGFnUimLCVD2EJThTVzoGrMxbBsFEaIG5nLxemEC22xTRR8puyF87jFVeJ/eT3 AgMBAAGjggEeMIIBGjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVKMiuambpycRwKcEPXH3 zSy50g0wgb8GA1UdIwSBtzCBtIAU35UzMp3eUJS9iPlqSmT8PLu9xEehgZikgZUw gZIxCzAJBgNVBAYTAkZSMRYwFAYDVQQIDA1JbGUtZGUtRnJhbmNlMQ4wDAYDVQQH DAVQYXJpczERMA8GA1UECgwIUm91c2Fsa2ExHDAaBgNVBAMME3JvdXNhbGthLmR5 bmRucy5vcmcxKjAoBgkqhkiG9w0BCQEWG25pY29sYXMubWFpbGhvdEBsYXBvc3Rl Lm5ldIIBADANBgkqhkiG9w0BAQQFAAOCAQEAKBw3FUj+z/zmKL1bXxDTYrYndI// qNcGZ5ZI4UprhPXB9M0wANZ+3i7L2s8RX4rcgS3yu2y98Xx7Dlzf5xly5ET2jK6H s9L8cV4YGOfL+9GNzUGqlD/FEXbMNGmREsUwXUKcgzONn1QcLZHMzDVeljUyfenM b8tJasqEKu1d+rvlD0IAlURr6p+dBqyrSmLhWNpjuMAGZvKTU+R5mLH+zbMF51uL VmEwcIcxCMGLSxCSVsiH8E3bjHDWMhA50YgkB0IST8dGgMkQI7j9lMOccSehWVxz HuiziYQbPJLbAM+oxdmQHPc8mTiQ5sC4Ub9vejt0p1678X0fCkcir8+1jg== -----END CERTIFICATE----- subject=/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=IMAP server/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot issuer=/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot --- No client certificate CA names sent --- SSL handshake has read 1405 bytes and written 468 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: F8FE04858F63402DF2E869C63A259E4F95CA646AD6D02AD2C21335F7143AE959 Session-ID-ctx: Master-Key: ECFBE472938F3D0E5AB487B60269B10CC034A78DF2C7F0A6FCF36E3B0A551878EE179A1304357D99A920690BD5681184 Key-Arg : None Krb5 Principal: None Start Time: 1132088234 Timeout : 300 (sec) Verify return code: 0 (ok) --- * OK dovecot ready. And I can confirm it does not change a bit for SM Could you please try openssl-0.9.8a-3 after it is released? There is some workaround for buggy compression in OpenSSL. retesting today (sorry for the delay, FC5t1 pushed on me more blocking bugs) with openssl-0.9.8a-4 SM works agains, so it was a problem in opnssl fixed since |