Bug 173179 - Can not connect to a dovecot server in IMAPS mode anymore
Can not connect to a dovecot server in IMAPS mode anymore
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: squirrelmail (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Warren Togami
:
Depends On:
Blocks: FC5Target
  Show dependency treegraph
 
Reported: 2005-11-14 14:43 EST by Nicolas Mailhot
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-12-01 13:34:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nicolas Mailhot 2005-11-14 14:43:02 EST
Description of problem:

Squirrelmail can not connect to a docvecot server in IMAPS mode anymore

-> probably caused by these dovecot changes :

* sam nov 12 2005 Tom Lane <tgl@redhat.com> - 0.99.14-10.fc5
- Rebuild due to mysql update.

* mer nov 09 2005 Tomas Mraz <tmraz@redhat.com> - 0.99.14-9.fc5
- rebuilt with new openssl
Comment 1 Tomas Mraz 2005-11-14 14:50:45 EST
What happens when you run:
openssl s_client -connect hostname:imaps
Comment 2 Nicolas Mailhot 2005-11-14 15:03:19 EST
BTW evo works on the smae server so the problem looks SM-specific

[nim@rousalka ~]$ openssl s_client -connect rousalka.dyndns.org:imaps
CONNECTED(00000003)
depth=0 /C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=imap/CN=rousalka.dyndns.org
/emailAddress=nicolas.mailhot@laposte.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=imap/CN=rousalka.dyndns.org
/emailAddress=nicolas.mailhot@laposte.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=imap/CN=rousalka.dyndns.org
/emailAddress=nicolas.mailhot@laposte.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=imap/CN=rousalka.dyndns.org/em
ailAddress=nicolas.mailhot@laposte.net
   i:/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/CN=rousalka.dyndns.org/emailAddre
ss=nicolas.mailhot@laposte.net
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE0DCCA7igAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCRlIx
FjAUBgNVBAgMDUlsZS1kZS1GcmFuY2UxDjAMBgNVBAcMBVBhcmlzMREwDwYDVQQK
DAhSb3VzYWxrYTEcMBoGA1UEAwwTcm91c2Fsa2EuZHluZG5zLm9yZzEqMCgGCSqG
SIb3DQEJARYbbmljb2xhcy5tYWlsaG90QGxhcG9zdGUubmV0MB4XDTA1MDYxMjEx
MzgzM1oXDTA2MDYxMjExMzgzM1owgaExCzAJBgNVBAYTAkZSMRYwFAYDVQQIDA1J
bGUtZGUtRnJhbmNlMQ4wDAYDVQQHDAVQYXJpczERMA8GA1UECgwIUm91c2Fsa2Ex
DTALBgNVBAsMBGltYXAxHDAaBgNVBAMME3JvdXNhbGthLmR5bmRucy5vcmcxKjAo
BgkqhkiG9w0BCQEWG25pY29sYXMubWFpbGhvdEBsYXBvc3RlLm5ldDCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdcqjTbawtqON2NFzq2e+aqNiNPqWId
romrNAAEA5EJpgf9Rz7tMc+ctQ7OyjbJd+PpgkuvPRA7fmXDOMD0LGPAqRljXInh
MZEXcKUcOcUB/CkCoxIvkQDvOvIGwPZPHbYo47C518KZVYfiPnEqpbC9YcegeyHj
etN9XCZwq9IEetXJioINv7qnv/jInihkSj3UdzAAOyrZW5y+5KinIvTsCpfU5ejd
s/mpOnsVXMNNPR9BYCrYuNw5vLgKz/hnqgOOt0X3cUlo5CN88VUJAifgKm13FZvQ
9txW2xG0DDdGlLad9ulJJN9EwXiV2+S1mIrPA6pRrE+dFK60zKbHQbcCAwEAAaOC
AR4wggEaMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJh
dGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTp6wb+c4fIGsJINMXu975/XNfwAjCB
vwYDVR0jBIG3MIG0gBTflTMynd5QlL2I+WpKZPw8u73ER6GBmKSBlTCBkjELMAkG
A1UEBhMCRlIxFjAUBgNVBAgMDUlsZS1kZS1GcmFuY2UxDjAMBgNVBAcMBVBhcmlz
MREwDwYDVQQKDAhSb3VzYWxrYTEcMBoGA1UEAwwTcm91c2Fsa2EuZHluZG5zLm9y
ZzEqMCgGCSqGSIb3DQEJARYbbmljb2xhcy5tYWlsaG90QGxhcG9zdGUubmV0ggEA
MA0GCSqGSIb3DQEBBAUAA4IBAQChr1adcPISOkWjNRpmY82I9dFNAVlBxaWr9pTX
Ks24r3wTnfoIIt1YxfR8+yqHjDNQmoasuXSAB4DaojGFfmZ5bb4i7rZ5K9T3X1B/
jJTJwAQPgdp4BwC+vhNa19DiSgwXG0dv0C2SYdh2Vx+Wj4Ys0ibDIKf85x1nbKk7
/UNcOmjwEHXCJ5up/IL6EFjBbgsh2AWoDjrrONecQWt0nzVN45Zxw9Cd2i/kx18L
yWRBSYF8whFY4PKJD7J1FTgplx2TK/Xjad+cDuTDGTXiAPgJQr1Et6p+jtIacgZc
nyjZbCJ3Pb6H8mLmNt2PQ4L28d2JapYd28ZXD0T1STvY17sL
-----END CERTIFICATE-----
subject=/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=imap/CN=rousalka.dyndns.org
/emailAddress=nicolas.mailhot@laposte.net
issuer=/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/CN=rousalka.dyndns.org/emailAdd
ress=nicolas.mailhot@laposte.net
---
No client certificate CA names sent
---
SSL handshake has read 1398 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: E55C6ABFF54E037D16500B0A52DF0EDBDEA33148CDCB41794A4E5DF31F5AC17C
    Session-ID-ctx:
    Master-Key: F19F2BD3A910B9620FF4105AE46B4A1A7481A3A50681C4D5515B0EF8AF9EB116
97B9C26DAA6C0A6564E6CED37A544CA7
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1131998673
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
* OK dovecot ready.
Comment 3 Nicolas Mailhot 2005-11-14 15:15:18 EST
The error is:

ERROR: Connection dropped by IMAP server.

SM worked in this config the 4th, broke between this date and today
Its conf didn't change

squirrelmail-20051114_0000-CVS produces the same result

Changing to imap works but is not a long-term solution

(BTW care to take a peek at bug #162852 before FC5 ?)
Comment 4 Tomas Mraz 2005-11-14 15:20:29 EST
Well from the SSL point of view there is nothing special with the connection.
The issuer of the server certificate is not trusted by the s_client but
otherwise everything seems to work fine.
Comment 5 Nicolas Mailhot 2005-11-14 15:30:39 EST
I suppose PHP's or SM imaps code is not too robust and didn't like one bit of
the SSL bump 

It's still a regression though :(
Comment 6 Tom Lane 2005-11-14 16:11:58 EST
Looks like an ssl issue, so I'm going to drop off the cc list ... feel free to
add me back if you find something implicating the mysql update ...
Comment 7 John Dennis 2005-11-15 08:49:35 EST
I have not had an opportunity to examine the error messages in detail, but if in
fact the problem is the certificate is not trusted by the client then that might
very well be because the SSL certificates installed by default with dovecot are
self-signed.
Comment 8 Nicolas Mailhot 2005-11-15 09:01:25 EST
Unless some OpenSSL option changed to make trust mandatory this should not be
the problem

The client configuration and the certificate haven't changed for months. The
only bit that changed is the openssl/dovecot update
Comment 9 Tomas Mraz 2005-11-15 09:02:17 EST
The s_client output shows that the certificate is not self signed.
Comment 10 Nicolas Mailhot 2005-11-15 14:58:58 EST
Not that it ever made a difference in the past, but where am I supposed to drop
the certificates (*.crt) in /etc/pki to get them recognized by openssl ?

Will it change SM behaviour ?
Comment 11 Tomas Mraz 2005-11-15 15:15:57 EST
Put the CA certificate in PEM format at the end of the
/etc/pki/tls/certs/ca-bundle.crt file.

> Will it change SM behaviour ?
Most probably not.
Comment 12 Nicolas Mailhot 2005-11-15 15:46:37 EST
(In reply to comment #11)
> Put the CA certificate in PEM format at the end of the
> /etc/pki/tls/certs/ca-bundle.crt file.

This does not seem to work. Am I missing something ? The same cert is accepted
by evo as a CA

Comment 13 Nicolas Mailhot 2005-11-15 15:55:58 EST
Just for the feelgood factor, with explicit CApath it works :

[nim@rousalka tls]$ openssl s_client -CApath /etc/pki/tls/certs/ -connect
rousalka.dyndns.org:imaps
CONNECTED(00000003)
depth=1
/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot@laposte.net
verify return:1
depth=0 /C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=IMAP
server/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot@laposte.net
verify return:1
---
Certificate chain
 0 s:/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=IMAP
server/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot@laposte.net
  
i:/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot@laposte.net
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE1zCCA7+gAwIBAgIBBDANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCRlIx
FjAUBgNVBAgMDUlsZS1kZS1GcmFuY2UxDjAMBgNVBAcMBVBhcmlzMREwDwYDVQQK
DAhSb3VzYWxrYTEcMBoGA1UEAwwTcm91c2Fsa2EuZHluZG5zLm9yZzEqMCgGCSqG
SIb3DQEJARYbbmljb2xhcy5tYWlsaG90QGxhcG9zdGUubmV0MB4XDTA1MTExNTIw
MzAzOFoXDTA2MTExNTIwMzAzOFowgagxCzAJBgNVBAYTAkZSMRYwFAYDVQQIDA1J
bGUtZGUtRnJhbmNlMQ4wDAYDVQQHDAVQYXJpczERMA8GA1UECgwIUm91c2Fsa2Ex
FDASBgNVBAsMC0lNQVAgc2VydmVyMRwwGgYDVQQDDBNyb3VzYWxrYS5keW5kbnMu
b3JnMSowKAYJKoZIhvcNAQkBFhtuaWNvbGFzLm1haWxob3RAbGFwb3N0ZS5uZXQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxNNntDFeza2xsMxe1FiuG
Olx/RkRf1Znx7G0tTKAHFzEGwym15RK+cR+gU420o+mWLf68bGhC8qFk44Jcjy0m
AzCSlUqqtrKfoAX9E/eJFDCy/anWhnZU5eO2M5oh3K6heK96BSTN74nWRLHGmWAA
AVYb7Mw+jIUhHlSS9ZyXSu3hOkiDNIPtdaD9vzBaoLZMYAt67sUETIxc7FkMv2HP
T0hjr0ay/ULnKxM3J3hYCe4MqB0+dESff6bYehhAo8l1mczJAiivZ/QM7T3/QYBx
9YrGFnUimLCVD2EJThTVzoGrMxbBsFEaIG5nLxemEC22xTRR8puyF87jFVeJ/eT3
AgMBAAGjggEeMIIBGjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVKMiuambpycRwKcEPXH3
zSy50g0wgb8GA1UdIwSBtzCBtIAU35UzMp3eUJS9iPlqSmT8PLu9xEehgZikgZUw
gZIxCzAJBgNVBAYTAkZSMRYwFAYDVQQIDA1JbGUtZGUtRnJhbmNlMQ4wDAYDVQQH
DAVQYXJpczERMA8GA1UECgwIUm91c2Fsa2ExHDAaBgNVBAMME3JvdXNhbGthLmR5
bmRucy5vcmcxKjAoBgkqhkiG9w0BCQEWG25pY29sYXMubWFpbGhvdEBsYXBvc3Rl
Lm5ldIIBADANBgkqhkiG9w0BAQQFAAOCAQEAKBw3FUj+z/zmKL1bXxDTYrYndI//
qNcGZ5ZI4UprhPXB9M0wANZ+3i7L2s8RX4rcgS3yu2y98Xx7Dlzf5xly5ET2jK6H
s9L8cV4YGOfL+9GNzUGqlD/FEXbMNGmREsUwXUKcgzONn1QcLZHMzDVeljUyfenM
b8tJasqEKu1d+rvlD0IAlURr6p+dBqyrSmLhWNpjuMAGZvKTU+R5mLH+zbMF51uL
VmEwcIcxCMGLSxCSVsiH8E3bjHDWMhA50YgkB0IST8dGgMkQI7j9lMOccSehWVxz
HuiziYQbPJLbAM+oxdmQHPc8mTiQ5sC4Ub9vejt0p1678X0fCkcir8+1jg==
-----END CERTIFICATE-----
subject=/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/OU=IMAP
server/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot@laposte.net
issuer=/C=FR/ST=Ile-de-France/L=Paris/O=Rousalka/CN=rousalka.dyndns.org/emailAddress=nicolas.mailhot@laposte.net
---
No client certificate CA names sent
---
SSL handshake has read 1405 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: F8FE04858F63402DF2E869C63A259E4F95CA646AD6D02AD2C21335F7143AE959
    Session-ID-ctx:
    Master-Key:
ECFBE472938F3D0E5AB487B60269B10CC034A78DF2C7F0A6FCF36E3B0A551878EE179A1304357D99A920690BD5681184
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1132088234
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK dovecot ready.
Comment 14 Nicolas Mailhot 2005-11-15 16:01:43 EST
And I can confirm it does not change a bit for SM
Comment 15 Tomas Mraz 2005-11-22 11:03:48 EST
Could you please try openssl-0.9.8a-3 after it is released? There is some
workaround for buggy compression in OpenSSL.
Comment 16 Nicolas Mailhot 2005-12-01 13:34:39 EST
retesting today (sorry for the delay, FC5t1 pushed on me more blocking bugs)
with  openssl-0.9.8a-4

SM works agains, so it was a problem in opnssl fixed since

Note You need to log in before you can comment on or make changes to this bug.