hi, i'm using dovecot 1.2.15 with self signed certificates using starttls on ports 110/143 works ok with thunderbird 10.0.12 (and i guess most other clients) using imaps on port 993 works with outlook 2002. with thunderbird 10.0.12 i can't connect to port 993 and get errors in the logs like TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (certificate generated by dovecot mkcert.sh) or TLS: SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (certificate generated by own openssl cmdline) i know that a lot of information is missing, but since this looks like a more general problem i dare to ask for help before posting more config details thx matthias
On 2013-02-22, Matthias Leopold wrote:> with thunderbird 10.0.12 i can't connect to port 993 and get errors in > the logs like> TLS: SSL_read() failed: error:14094412:SSL > routines:SSL3_READ_BYTES:sslv3 alert bad certificate> (certificate generated by dovecot mkcert.sh)> or> TLS: SSL_read() failed: error:14094418:SSL > routines:SSL3_READ_BYTES:tlsv1 alert unknown ca> (certificate generated by own openssl cmdline)Did you create a Root CA certificate? If not, I would prefer to create your own CA and sign all certs with this Root CA certificate. You'll have to import the created Root CA certificate in Thunderbird and/or the Microsoft Certificate Store so that the applications can trust the self signed certificates. You could also use a free Certificate Authority like StartSSL but the Root CA certificate must also be available in the certificate store of the application (Thunderbird, MS, Opera...). -- Daniel
On 2013-02-22, Matthias Leopold wrote:> with thunderbird 10.0.12 i can't connect to port 993 and get errors in > the logs like > > TLS: SSL_read() failed: error:14094412:SSL > routines:SSL3_READ_BYTES:sslv3 alert bad certificate > > (certificate generated by dovecot mkcert.sh)I haven't come across any problems with our use of self-signed certificates, but I run the latest 2.1.x dovecot so maybe there's some SSL changes between our version and your's. The fact that the same certificate works for other clients, and also for TLS on Thunderbird seem to suggest Thunderbird is fumbling it. But maybe you can try the command diagnostic from the command line "openssl s_client -connect yourserver:993 ..." or use one of the online certificate checkers to get some useful diagnostics.> TLS: SSL_read() failed: error:14094418:SSL > routines:SSL3_READ_BYTES:tlsv1 alert unknown caThis error entry pops up in my logs once in a while. I think the error might be misleading since the error message happen in the middle of a long sequence of successful connections. Also check that the client is actually using the right security mode (not TLS or clear), perhaps by doing a network snoop. Joseph Tam <jtam.home at gmail.com>