dovecot - Jan 2018 - Dovecot 2.3.0 TLS

All,

our dovecot installation provides a bundle of intermedia CA 
certificates using the ssl_ca option.

2.3.0 does not supply the bundle, resulting in various clients either 
complaining about an unverifiable server cert, or quietly not 
connecting. The log has

Jan  5 17:01:46 Bounce dovecot: imap-login: Disconnected (no auth 
attempts in 0 secs): user=<>, rip=XXX, lip=YYY, TLS handshaking: 
SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 
alert certificate unknown: SSL alert number 46, 
session=<uKK/kAlia+GCUyU5>

We fixed the issue by downgrading to 2.2.33.2.

Cheerio,
hauke

-- 
     The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email            Institut f?r Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
     Respect for open standards              Ruf +49-6151-16-21344

On 11.01.2018 12:18, Hauke Fath wrote:
> All,
>
> our dovecot installation provides a bundle of intermedia CA 
> certificates using the ssl_ca option.
>
> 2.3.0 does not supply the bundle, resulting in various clients either 
> complaining about an unverifiable server cert, or quietly not 
> connecting. The log has
>
> Jan  5 17:01:46 Bounce dovecot: imap-login: Disconnected (no auth 
> attempts in 0 secs): user=<>, rip=XXX, lip=YYY, TLS handshaking: 
> SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 
> alert certificate unknown: SSL alert number 46, 
> session=<uKK/kAlia+GCUyU5>
>
> We fixed the issue by downgrading to 2.2.33.2.
>
> Cheerio,
> hauke
>
Was the certificate path bundled in the server certificate?

Aki

On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote:
> Was the certificate path bundled in the server certificate?
No, as a separate file, provided from the local (intermediate) CA:

ssl_cert = </etc/openssl/certs/server.cert
ssl_key = </etc/openssl/private/server.key
ssl_ca = </etc/openssl/certs/ca-cert-chain.pem

Worked fine with 2.2.x, 2.3 gives

% openssl s_client -connect XXX:993
CONNECTED(00000006)
depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet 
Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet 
Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet 
Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
   i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet 
Darmstadt/CN=TUD CA G01/emailAddress=tud-ca at hrz.tu-darmstadt.de
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
%

-- 
     The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email            Institut f?r Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
     Respect for open standards              Ruf +49-6151-16-21344