thr3ads.net - dovecot - SSL issues when proxying [Sep 2014]

If this information is useful, please help other people find it:
Share via:

Ralf Hildebrandt

2014-Sep-25 12:22 UTC

SSL issues when proxying

I'm getting this in the log when proxying IMAP (three "valid
certificate" messages, two "Invalid certificate" messages)

Why is dovecot (acting as a proxy to another dovecot instance here) not
recognizing the StartCom Extended Validation Server CA?

. LOGIN ralf.hildebrandt at charite.de mypassword
Sep 25 14:13:04 auth-worker(30859): Info: mysql(sql.charite.de): Connected to
database mailservice
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x10, ret=1: before/connect
initialization [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: before/connect
initialization [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: unknown state
[127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1002, ret=-1: unknown state
[127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server
hello A [127.0.0.1]
Sep 25 14:13:04 imap-login: Info: Invalid certificate: unable to get local
issuer certificate: /C=IL/O=StartCom Ltd./OU=StartCom Certification
Authority/CN=StartCom Extended Validation Server CA
Sep 25 14:13:04 imap-login: Info: Invalid certificate: certificate not trusted:
/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended
Validation Server CA
Sep 25 14:13:04 imap-login: Info: Valid certificate:
/C=DE/ST=Berlin/L=Berlin/postalCode=12205/street=Charitestrasse 1/O=Charite
Universitaetsmedizin/CN=imap.charite.de/emailAddress=postmaster at
charite.de/serialNumber=HRAxxxx/businessCategory=Private
Organization/1.3.6.1.4.1.311.60.2.1.1=Mitte/1.3.6.1.4.1.311.60.2.1.2=Berlin/1.3.6.1.4.1.311.60.2.1.3=DE
Sep 25 14:13:04 imap-login: Info: Valid certificate: /C=IL/O=StartCom
Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server
CA
Sep 25 14:13:04 imap-login: Info: Valid certificate:
/C=DE/ST=Berlin/L=Berlin/postalCode=12205/street=Charitestrasse 1/O=Charite
Universitaetsmedizin/CN=imap.charite.de/emailAddress=postmaster at
charite.de/serialNumber=HRAxxxx/businessCategory=Private
Organization/1.3.6.1.4.1.311.60.2.1.1=Mitte/1.3.6.1.4.1.311.60.2.1.2=Berlin/1.3.6.1.4.1.311.60.2.1.3=DE
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server
certificate A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server
key exchange A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server
done A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 write client
key exchange A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 write change
cipher spec A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 write
finished A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 flush data
[127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1002, ret=-1: SSLv3 read server
session ticket A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1002, ret=-1: SSLv3 read server
session ticket A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server
session ticket A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read finished
A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation
finished successfully [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1002, ret=1: SSL negotiation
finished successfully [127.0.0.1]
. OK [CAPABILITY ...

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstra?e 15, 81669 M?nchen

Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

lst_hoe02 at kwsoft.de

2014-Sep-25 12:32 UTC

head link

SSL issues when proxying

Zitat von Ralf Hildebrandt <r at sys4.de>:
> I'm getting this in the log when proxying IMAP (three "valid
> certificate" messages, two "Invalid certificate" messages)
>
> Why is dovecot (acting as a proxy to another dovecot instance here) not
> recognizing the StartCom Extended Validation Server CA?
>
Forgot to include the matching intermediate CA maybe?

Regards

Andi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5958 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20140925/a0b17996/attachment.p7s>

Steffen Kaiser

2014-Sep-25 12:33 UTC

head link

SSL issues when proxying

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 25 Sep 2014, Ralf Hildebrandt wrote:
> Date: Thu, 25 Sep 2014 14:22:30 +0200
> From: Ralf Hildebrandt <r at sys4.de>
> To: dovecot at dovecot.org
> Subject: SSL issues when proxying
> 
> I'm getting this in the log when proxying IMAP (three "valid
> certificate" messages, two "Invalid certificate" messages)
does one of your proxies or servers is missing a root CA? Or do your hosts 
query a cert database or something like that?
Can you validate the cert on all hosts via openssl manually?

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBVCQLoXz1H7kL/d9rAQItWwf/QGaCcxwIvAE2DJgd4rjvL/3/blnPZIQL
16TjRbSpg2c/GCPWMkMlIlavhoooGyqxEyyHNV0hvBGqg9Im/6uzUwJMD4899f9g
rB3nN6jMrLPP99LyIPgzpJe+Xnp/5HGMRMS8YKsri6zP7Ltx2mP6rzKDxWr9wd1L
aaEozOR+wwVb2N4Fz6wYBX5kKLA28tVdjxLA+mX9xjDw3LzSPXFtgK2Bg3zC+6ln
baX2FIlhsiWid7uzl5UblRcAn/oocaXyn/lr3s0jZ6sX2Uh/Ppvx48eJqlEcowiH
BrvRfDRiyyLS10VmgGG+WxSDYjD5J5sfeQ6LxkwaBkNg3P5VcREyNA==4JwM
-----END PGP SIGNATURE-----

Seemingly Similar Threads

Search for more reasonably related threads

dovecot - Sep 2014 - SSL issues when proxying

SSL issues when proxying

SSL issues when proxying

SSL issues when proxying

Seemingly Similar Threads