Hi, I recently changed from uw imap to dovecot on the sound recommendation of a
friend and have mostly succeeded in getting all of my clients up and running,
but am really stuck with the iPhone which is failing to make connections. I run
certificates on all of my clients and thunderbird happily connects both locally
and remotely. I installed the certificate on the iPhone after great pain (pk12
via the Web administration utility). When you open the configurations on the
phone , it tries to make a test connection to the server and fails with a
generic SSL error. Dovecot reports just a generic disconnected error
(imap-login/client.c line 333), and it appears to be dropping the connection.
Sep 2 09:38:17 inchoate dovecot: imap-login: Disconnected (auth failed, 0
attempts): rip=209.204.139.116, lip=192.168.0.252, TLS
I have run ssldump and here is the relevant section. If anybody has any
insights they would be greatly appreciated
Darren
ssldump tail..
ServerHelloDone
1 5 0.1128 (0.0838) C>SV3.1(7) Handshake
Certificate
1 6 0.1629 (0.0500) C>SV3.1(134) Handshake
ClientKeyExchange
1 7 0.1629 (0.0000) C>SV3.1(1) ChangeCipherSpec
1 8 0.1629 (0.0000) C>SV3.1(48) Handshake
1 9 0.1677 (0.0048) S>CV3.1(1) ChangeCipherSpec
1 10 0.1677 (0.0000) S>CV3.1(48) Handshake
1 11 0.1761 (0.0084) S>CV3.1(48) application_data
1 12 0.2650 (0.0889) C>SV3.1(32) Alert
1 13 0.2651 (0.0000) S>CV3.1(32) Alert
1 0.2651 (0.0000) S>C TCP FIN
1 0.2675 (0.0024) C>S TCP FIN
[root at inchoate src]# /tools/dovecot/sbin/dovecot -n
# 1.1.2: /tools/dovecot-1.1.2/etc/dovecot.conf
ssl_ca_file: /etc/mail/certs/cacert_plus_crl.pem
ssl_cert_file: /etc/mail/certs/cert.pem
ssl_key_file: /etc/mail/certs/key.pem
ssl_verify_client_cert: yes
login_dir: /tools/dovecot-1.1.2/var/run/dovecot/login
login_executable: /tools/dovecot-1.1.2/libexec/dovecot/imap-login
auth default:
verbose: yes
ssl_require_client_cert: yes
passdb:
driver: pam
userdb:
driver: passwd
On Sep 2, 2008, at 7:55 PM, dovecot at feb17.org wrote:> Hi, I recently changed from uw imap to dovecot on the sound > recommendation of a friend and have mostly succeeded in getting all > of my clients up and running, but am really stuck with the iPhone > which is failing to make connections. I run certificates on all of > my clients and thunderbird happily connects both locally and > remotely. I installed the certificate on the iPhone after great > pain (pk12 via the Web administration utility). When you open the > configurations on the phone , it tries to make a test connection to > the server and fails with a generic SSL error. Dovecot reports just > a generic disconnected error (imap-login/client.c line 333), and it > appears to be dropping the connection. > > Sep 2 09:38:17 inchoate dovecot: imap-login: Disconnected (auth > failed, 0 attempts): rip=209.204.139.116, lip=192.168.0.252, TLSverbose_ssl=yes would log more.> ssl_verify_client_cert: yes..> ssl_require_client_cert: yesDid this really work with UW-IMAP or are you just now trying to set this up? Are you sure iPhone is even supposed to work with this? -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20080902/9fe50ba5/attachment-0002.bin>
> > verbose_ssl=yes would log more.It didn't actually - just tried that, same result.> > >ssl_verify_client_cert: yes > .. > > ssl_require_client_cert: yes > > Did this really work with UW-IMAP or are you just now trying to set > this up? Are you sure iPhone is even supposed to work with this?In my previous config I used certs only for sendmail relaying on the mobile thunderbird clients, and used SSL/passwords for imap. When I upgraded to dovecot, it started requiring the certs for access locally and remotely and I added the cert to the desktop and all was fine. I'm not 100% sure the iphone supports this - the docs are really murky but as of the last release, they rolled out enterprise support to keep the exchange users happy and it seems to support certificate installation, root certs, client certs etc. If it doesn't I'd just like a clean error message. The iphone says effectively ssl error, are you sure the server supports ssl? and your account settings are correct (sorry it's actually in german otherwise I'd quote it literally). Dovecot is just saying it's disconnecting. I had a very different error from dovecot when the thunderbird clients didn't have certificates, "Client didn't present valid SSL certificate" Darren
One more piece of info for comparison, here's the thunderbrid ssldump. I'm not sure what the application_data is but it's received happily here 2 7 10.7516 (0.0000) C>SV3.1(1) ChangeCipherSpec 2 8 10.7516 (0.0000) C>SV3.1(48) Handshake 2 9 10.7620 (0.0103) S>CV3.1(1) ChangeCipherSpec 2 10 10.7620 (0.0000) S>CV3.1(48) Handshake 2 11 10.9688 (0.2068) S>CV3.1(48) application_data 2 12 10.9822 (0.0134) C>SV3.1(48) application_data 2 13 10.9824 (0.0001) S>CV3.1(224) application_data 2 14 16.3136 (5.3312) C>SV3.1(48) application_data 2 15 16.3139 (0.0003) S>CV3.1(32) application_data 2 16 16.3205 (0.0065) C>SV3.1(48) application_data 2 17 16.9382 (0.6177) S>CV3.1(48) application_data 2 18 16.9591 (0.0209) C>SV3.1(48) application_data 2 19 16.9593 (0.0002) S>CV3.1(80) application_data 2 20 16.9805 (0.0211) C>SV3.1(48) application_data The iphone seems to get upset at around this point and raise an alert which leads to the server closing the connection after raising its own alert. I don't seem to be able to get any more information on the nature of the complaint unfortunately. I've tried providing the ssl key to ssldump but it doesn't reveal anything, 1 7 0.1629 (0.0000) C>SV3.1(1) ChangeCipherSpec 1 8 0.1629 (0.0000) C>SV3.1(48) Handshake 1 9 0.1677 (0.0048) S>CV3.1(1) ChangeCipherSpec 1 10 0.1677 (0.0000) S>CV3.1(48) Handshake 1 11 0.1761 (0.0084) S>CV3.1(48) application_data 1 12 0.2650 (0.0889) C>SV3.1(32) Alert 1 13 0.2651 (0.0000) S>CV3.1(32) Alert 1 0.2651 (0.0000) S>C TCP FIN 1 0.2675 (0.0024) C>S TCP FI Darren
Darren Platt wrote:> I'd happily switched to a real cert if I knew that this was the > problem. Are you using the cert actually on the phone to validate > its identity? I have the org unit set slightly differently on my fake > CA and the phone to make netscape derived browsers happy. The trouble > is that I'm not getting a useful enough error message from anyone to > diagnose problem. I have also considered putting my fake CA cert on > the phone to see if that would make it happier,Sorry - I don't have an iPhone - however, some of the super cheap providers are like near single digit dollars a year for a cert so it's not too expensive to run a test Ed W