dovecot - Feb 2010 - using signed certificates for TLS/SSL

Hi,

     I have, in one customer, a web server running on a Verisign-signed 
certificate SSL certificate. Everything works fine, IE and Firefox 
connects on https without asking anything, which usually happens on 
self-signed certificates. I'm trying to use that certificate on dovecot, 
but clients (Thunderbird basically) keeps saying the certificate is not 
valid.

     yes i'm using, when configuring Thunderbird, the same CN that was 
signed by Verisign for the web usage

     i've enabled verbose_ssl and got when thunderbird tries to connect:

Feb 18 12:32:02 correio dovecot: imap-login: Disconnected (no auth 
attempts): rip=201.86.xxx.xxx, lip=192.168.1.2, TLS handshaking: 
SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 
alert unknown ca

     unknown CA ???

     is that Thunderbird that is not recognizing the Verisign-signed 
certificate ? Do i need to, somehow, install some Verisign CA 
certificate in dovecot.conf ?

     when using a self-signed certificate, i also get an SSL_accept 
failed, but with different message:

Feb 18 12:41:45 correio dovecot: imap-login: Disconnected (no auth 
attempts): rip=201.86.191.114, lip=192.168.1.2, TLS handshaking: 
SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 
alert bad certificate

     despite the fact my certificates were generated for use with 
Apache, i can 'print' them, both of them, with the same commands i use 
to print dovecot generated certificates, with mkcert.sh. So, it seems 
they are compatible.

     if i click OK on Thunderbird, when using my Verisign-signed 
certificates, everything works and i do got TLS logs:


Feb 18 12:23:36 correio dovecot: imap-login: Login: 
user=<user at domain.com.br>, method=PLAIN, rip=201.86.xx.xx, 
lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Feb 18 12:31:43 correio dovecot: imap-login: Login: 
user=<user at domain.com.br>, method=PLAIN, rip=201.86.xx.xx, 
lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)



     what am i doing wrong ?? or using a signed-certificate for WEB 
usage is not possible on dovecot ?

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, N?O mandem email
	gertrudes at solutti.com.br
	My SPAMTRAP, do not email it

Torsdag 18 februar 2010 14:47:03 skrev Leonardo Rodrigues
:
>      Hi,
> 
>      I have, in one customer, a web server running on a Verisign-signed
> certificate SSL certificate. Everything works fine, IE and Firefox
> connects on https without asking anything, which usually happens on
> self-signed certificates. I'm trying to use that certificate on
dovecot,
> but clients (Thunderbird basically) keeps saying the certificate is not
> valid.
> 
>      yes i'm using, when configuring Thunderbird, the same CN that was
> signed by Verisign for the web usage
> 
>      i've enabled verbose_ssl and got when thunderbird tries to
connect:
> 
> Feb 18 12:32:02 correio dovecot: imap-login: Disconnected (no auth
> attempts): rip=201.86.xxx.xxx, lip=192.168.1.2, TLS handshaking:
> SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
> alert unknown ca
> 
>      unknown CA ???
> 
>      is that Thunderbird that is not recognizing the Verisign-signed
> certificate ? Do i need to, somehow, install some Verisign CA
> certificate in dovecot.conf ?
> 
>      when using a self-signed certificate, i also get an SSL_accept
> failed, but with different message:
> 
> Feb 18 12:41:45 correio dovecot: imap-login: Disconnected (no auth
> attempts): rip=201.86.191.114, lip=192.168.1.2, TLS handshaking:
> SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad certificate
> 
>      despite the fact my certificates were generated for use with
> Apache, i can 'print' them, both of them, with the same commands i
use
> to print dovecot generated certificates, with mkcert.sh. So, it seems
> they are compatible.
> 
>      if i click OK on Thunderbird, when using my Verisign-signed
> certificates, everything works and i do got TLS logs:
> 
> 
> Feb 18 12:23:36 correio dovecot: imap-login: Login:
> user=<user at domain.com.br>, method=PLAIN, rip=201.86.xx.xx,
> lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> Feb 18 12:31:43 correio dovecot: imap-login: Login:
> user=<user at domain.com.br>, method=PLAIN, rip=201.86.xx.xx,
> lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> 
> 
> 
>      what am i doing wrong ?? or using a signed-certificate for WEB
> usage is not possible on dovecot ?
I'm using the same certificate for dovecot and https. My settings in 
dovecot.conf are;

ssl_cert_file = /etc/ssl/certs/hostname.pem
ssl_key_file = /etc/ssl/private/hostname.key

This part from the user guide is very important if you received a "bundle /
chain" of CA certificates from Verisign;

Chained SSL certificates

Put all the certificates in the ssl_cert_file file. For example when using a 
certificate signed by TDC the correct order is:

   1. Dovecot's public certificate
   2. TDC SSL Server CA
   3. TDC Internet Root CA
   4. Globalsign Partners CA 

Arne

-- 
--------------------------------
Arne K. Haaje	| www.drlinux.no
T: 69 51 15 52	| M: 92 88 44 66
--------------------------------