Ralf Hildebrandt
2017-Mar-20 14:40 UTC
Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
* Aki Tuomi <aki.tuomi at dovecot.fi>:> > > On 20.03.2017 14:30, Ralf Hildebrandt wrote: > > ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt > > Leave the < out. It is misleading, I know, but it does say file. =)Makes no difference: # doveconf |fgrep ssl_client_ca ssl_client_ca_dir = ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt and with auto8 I still get: Mar 20 15:38:20 mproxy dovecot: auth: Error: imapc(exchange-imap.charite.de:993): Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Mar 20 15:38:20 mproxy dovecot: auth: Error: imapc(exchange-imap.charite.de:993): No SSL context Mar 20 15:38:20 mproxy dovecot: auth: Error: imap(hildeb,141.42.206.36,<YWuNeipLKLGNKs4k>): Disconnected from server Mar 20 15:38:20 mproxy dovecot: imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=52992, EOF) Mar 20 15:38:20 mproxy dovecot: auth: Fatal: master: service(auth): child 52990 killed with signal 11 (core dumped) going back to auto6 and everything is peachy again. -- Ralf Hildebrandt Gesch?ftsbereich IT | Abteilung Netzwerk Charit? - Universit?tsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt at charite.de | http://www.charite.de
Aki Tuomi
2017-Mar-20 14:57 UTC
Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
On 20.03.2017 16:40, Ralf Hildebrandt wrote:> * Aki Tuomi <aki.tuomi at dovecot.fi>: >> >> On 20.03.2017 14:30, Ralf Hildebrandt wrote: >>> ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt >> Leave the < out. It is misleading, I know, but it does say file. =) > Makes no difference: > > # doveconf |fgrep ssl_client_ca > ssl_client_ca_dir = > ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt > > and with auto8 I still get: > > Mar 20 15:38:20 mproxy dovecot: auth: Error: imapc(exchange-imap.charite.de:993): Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) > Mar 20 15:38:20 mproxy dovecot: auth: Error: imapc(exchange-imap.charite.de:993): No SSL context > Mar 20 15:38:20 mproxy dovecot: auth: Error: imap(hildeb,141.42.206.36,<YWuNeipLKLGNKs4k>): Disconnected from server > Mar 20 15:38:20 mproxy dovecot: imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=52992, EOF) > Mar 20 15:38:20 mproxy dovecot: auth: Fatal: master: service(auth): child 52990 killed with signal 11 (core dumped) > > going back to auto6 and everything is peachy again. >Hi! Could you send us the gdb bt full backtrace for the core file? Also, can you send doveconf -n? Aki
Ralf Hildebrandt
2017-Mar-20 15:07 UTC
Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
* Aki Tuomi <aki.tuomi at dovecot.fi>:> Could you send us the gdb bt full backtrace for the core file?Currently I can't get it to create coredumps doveconf -n: # 2.2.devel (3f97702): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.devel (023f391) # OS: Linux 4.4.0-65-generic x86_64 Ubuntu 16.04.2 LTS auth_mechanisms = plain login default_vsz_limit = 1 G imapc_host = exchange-imap.charite.de imapc_port = 993 imapc_ssl = imaps imapc_ssl_verify = no listen = *,:: mail_gid = imapproxy mail_home = /home/imapproxy/%u mail_location = imapc:~/imapc mail_plugins = mail_log notify mail_uid = imapproxy passdb { args = host=exchange-imap.charite.de port=993 ssl=imaps default_fields = userdb_imapc_user=%u userdb_imapc_password=%w userdb_imapc_host=exchange-imap.charite.de userdb_imapc_ssl=imaps userdb_imapc_port=993 driver = imap } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = imap service auth { inet_listener { address = 127.0.0.1 port = 12345 } } ssl = required ssl_ca = </etc/ssl/certs/ca-certificates.crt ssl_cert = </etc/dovecot/dovecot.pem ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 userdb { driver = prefetch } verbose_proctitle = yes Ralf Hildebrandt Gesch?ftsbereich IT | Abteilung Netzwerk Charit? - Universit?tsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt at charite.de | http://www.charite.de
Reasonably Related Threads
- Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
- Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
- Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
- Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
- SIGSEGV in 2.2.13 with IMAP Proxying to an Exchange Server (dovecot/auth)