dovecot - Mar 2017 - Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)

Hi!

I upgraded the 2.2 packages today (from 2:2.2.28-1~auto+5 to 2:2.2.28-1~auto+8)
I now I'm getting an error:

Mar 20 13:25:58 mproxy dovecot: auth: Error: imapc(email.charite.de:993):
Couldn't initialize SSL context: Can't verify remote server certs
without trusted CAs (ssl_client_ca_* settings)

I checked, and alas, I had

ssl_client_ca_dir = 
ssl_client_ca_file 
So I set:

ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt

But I'm still getting the error above.

I addition, dovecot is crashing with SIGSEGV:

Mar 20 13:28:23 mproxy dovecot: auth: Error: imapc(email.charite.de:993):
Couldn't initialize SSL context: Can't verify remote server certs
without trusted CAs (ssl_client_ca_* settings)
Mar 20 13:28:23 mproxy dovecot: auth: Error: imapc(email.charite.de:993): No SSL
context
Mar 20 13:28:23 mproxy dovecot: auth: Error: imap(la***sch,87.77.180.61):
Disconnected from server
Mar 20 13:28:23 mproxy postfix/submission/smtpd[32682]: warning:
zb43d.pia.fu-berlin.de[87.77.180.61]: SASL PLAIN authentication failed:
Connection lost to authentication server
Mar 20 13:28:23 mproxy dovecot: auth: Fatal: master: service(auth): child 32685
killed with signal 11 (core dumped)

-- 
Ralf Hildebrandt
  Gesch?ftsbereich IT | Abteilung Netzwerk
  Charit? - Universit?tsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebrandt at charite.de | http://www.charite.de

* Ralf Hildebrandt <Ralf.Hildebrandt at
charite.de>:
> Hi!
> 
> I upgraded the 2.2 packages today (from 2:2.2.28-1~auto+5 to
2:2.2.28-1~auto+8) I now I'm getting an error:
I was able to determine the last working version: 2:2.2.28-1~auto+6
and the first "broken" version:                   2:2.2.28-1~auto+7

-- 
Ralf Hildebrandt
  Gesch?ftsbereich IT | Abteilung Netzwerk
  Charit? - Universit?tsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebrandt at charite.de | http://www.charite.de

* Ralf Hildebrandt <Ralf.Hildebrandt at
charite.de>:
> * Ralf Hildebrandt <Ralf.Hildebrandt at charite.de>:
> > Hi!
> > 
> > I upgraded the 2.2 packages today (from 2:2.2.28-1~auto+5 to
2:2.2.28-1~auto+8) I now I'm getting an error:
> 
> I was able to determine the last working version: 2:2.2.28-1~auto+6
> and the first "broken" version:                  
2:2.2.28-1~auto+7
2:2.2.28-1~auto+7 CHANGES file
(http://xi.dovecot.fi/debian/pool/jessie-auto/dovecot-2.2/dovecot_2.2.28-1~auto+7_amd64.changes)
says:

New revision (a39b5b2852f2) in dovecot Git repository

...
     - lib-ssl-iostream: Ensure verify_remote_cert is true
     - lib-ssl-iostream: Fix ambiguity with SSL settings
...	  

I think one of these two could be the culprit
-- 
Ralf Hildebrandt
  Gesch?ftsbereich IT | Abteilung Netzwerk
  Charit? - Universit?tsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebrandt at charite.de | http://www.charite.de

On 20.03.2017 14:30, Ralf Hildebrandt wrote:
> ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt
Leave the < out. It is misleading, I know, but it does say file. =)

Aki

* Aki Tuomi <aki.tuomi at dovecot.fi>:
> 
> 
> On 20.03.2017 14:30, Ralf Hildebrandt wrote:
> > ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt
> 
> Leave the < out. It is misleading, I know, but it does say file. =)
Makes no difference:

# doveconf |fgrep ssl_client_ca
ssl_client_ca_dir = 
ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt

and with auto8 I still get:

Mar 20 15:38:20 mproxy dovecot: auth: Error:
imapc(exchange-imap.charite.de:993): Couldn't initialize SSL context:
Can't verify remote server certs without trusted CAs (ssl_client_ca_*
settings)
Mar 20 15:38:20 mproxy dovecot: auth: Error:
imapc(exchange-imap.charite.de:993): No SSL context
Mar 20 15:38:20 mproxy dovecot: auth: Error:
imap(hildeb,141.42.206.36,<YWuNeipLKLGNKs4k>): Disconnected from server
Mar 20 15:38:20 mproxy dovecot: imap-login: Warning: Auth connection closed with
1 pending requests (max 0 secs, pid=52992, EOF)
Mar 20 15:38:20 mproxy dovecot: auth: Fatal: master: service(auth): child 52990
killed with signal 11 (core dumped)

going back to auto6 and everything is peachy again.

-- 
Ralf Hildebrandt
  Gesch?ftsbereich IT | Abteilung Netzwerk
  Charit? - Universit?tsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebrandt at charite.de | http://www.charite.de