On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote:> Was the certificate path bundled in the server certificate?No, as a separate file, provided from the local (intermediate) CA: ssl_cert = </etc/openssl/certs/server.cert ssl_key = </etc/openssl/private/server.key ssl_ca = </etc/openssl/certs/ca-cert-chain.pem Worked fine with 2.2.x, 2.3 gives % openssl s_client -connect XXX:993 CONNECTED(00000006) depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet Darmstadt/CN=TUD CA G01/emailAddress=tud-ca at hrz.tu-darmstadt.de --- Server certificate -----BEGIN CERTIFICATE----- [...] % -- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut f?r Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
On 11.01.2018 13:20, Hauke Fath wrote:> On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote: >> Was the certificate path bundled in the server certificate? > No, as a separate file, provided from the local (intermediate) CA: > > ssl_cert = </etc/openssl/certs/server.cert > ssl_key = </etc/openssl/private/server.key > ssl_ca = </etc/openssl/certs/ca-cert-chain.pem > > Worked fine with 2.2.x, 2.3 gives > > % openssl s_client -connect XXX:993 > CONNECTED(00000006) > depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet > Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet > Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet > Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de > i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet > Darmstadt/CN=TUD CA G01/emailAddress=tud-ca at hrz.tu-darmstadt.de > --- > Server certificate > -----BEGIN CERTIFICATE----- > [...] > % >Seems we might've made a unexpected change here when we revamped the ssl code. Can you try if it works if you concatenate the cert and cert-chain to single file? We'll start looking if this is misunderstanding or bug. Aki
On Thu, 11 Jan 2018 13:22:07 +0200, Aki Tuomi wrote:> Can you try if it works if you concatenate the cert and cert-chain > to single file? We'll start looking if this is misunderstanding or bug.This is a production machine, so I would rather stick with the downgrade until you've looked into the issue. I went home late yesterday. ;) Cheerio, Hauke -- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut f?r Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
On 01/11/2018 12:22 PM, Aki Tuomi wrote:> > > On 11.01.2018 13:20, Hauke Fath wrote: >> On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote: >>> Was the certificate path bundled in the server certificate? >> No, as a separate file, provided from the local (intermediate) CA: >> >> ssl_cert = </etc/openssl/certs/server.cert >> ssl_key = </etc/openssl/private/server.key >> ssl_ca = </etc/openssl/certs/ca-cert-chain.pem >> >> Worked fine with 2.2.x, 2.3 gives >> >> % openssl s_client -connect XXX:993 >> CONNECTED(00000006) >> depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet >> Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de >> verify error:num=20:unable to get local issuer certificate >> verify return:1 >> depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet >> Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de >> verify error:num=21:unable to verify the first certificate >> verify return:1 >> --- >> Certificate chain >> 0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet >> Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de >> i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet >> Darmstadt/CN=TUD CA G01/emailAddress=tud-ca at hrz.tu-darmstadt.de >> --- >> Server certificate >> -----BEGIN CERTIFICATE----- >> [...] >> % >> > > Seems we might've made a unexpected change here when we revamped the ssl > code. Can you try if it works if you concatenate the cert and cert-chain > to single file? We'll start looking if this is misunderstanding or bug. > > Aki >Hello, let me confirm this issue. I have a setup similar to Hauke Fath. Doing the workaround suggested by Aki cat /etc/openssl/certs/ca-cert-chain.pem >> /etc/openssl/certs/server.cert and removing "ssl_ca" from the config file presents the correct CA-Chain. Whereas the original config presented my three time my own server cert as chain. Since server certs tend to change more frequent than the CA chains I really want to keep them in separate files. So this is really a show stopper for me. CU, Olaf -- Karlsruher Institut f?r Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakult?t f?r Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Geb?ude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: Olaf.Hopp at kit.edu atis.informatik.kit.edu www.kit.edu KIT ? Die Forschungsuniversit?t in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5304 bytes Desc: S/MIME Cryptographic Signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20180122/e1336ae8/attachment.p7s>
On Thursday 11 of January 2018, Aki Tuomi wrote:> Seems we might've made a unexpected change here when we revamped the ssl > code.Revamped, interesting, can it support milions certs now on single machine? (so are certs loaded by demand and not wasting memory)> Aki-- Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )
On 11.01.2018 13:20, Hauke Fath wrote:
>/On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote: />>/Was the
certificate path bundled in the server certificate? />/No, as a separate
file, provided from the local (intermediate) CA: />//>/ssl_cert =
</etc/openssl/certs/server.cert />/ssl_key =
</etc/openssl/private/server.key />/ssl_ca =
</etc/openssl/certs/ca-cert-chain.pem />//>/Worked fine with 2.2.x, 2.3
gives />//>/% openssl s_client -connect XXX:993 />/CONNECTED(00000006)
/>/depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische
Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
/>/verify error:num=20:unable to get local issuer certificate />/verify
return:1 />/depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische
Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
/>/verify error:num=21:unable to verify the first certificate />/verify
return:1 />/--- />/Certificate chain />/0
s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
/>/Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
/>/i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
/>/Darmstadt/CN=TUD CA G01/emailAddress=tud-ca at hrz.tu-darmstadt.de
<https://dovecot.org/mailman/listinfo/dovecot> />/--- />/Server
certificate />/-----BEGIN CERTIFICATE----- />/[...] />/% />//
Seems we might've made a unexpected change here when we revamped the ssl
code. Can you try if it works if you concatenate the cert and cert-chain
to single file? We'll start looking if this is misunderstanding or bug.
Aki
-----------------------------------------------------------------------------
I have the CA cert concatenated with the actual cert (one file).
Code:
# openssl s_client -showcerts -connect some.server.host:587
CONNECTED(00000003)
depth=1 C = US, ST = State, L = Town, O = Company Name, OU =
CERTIFICATION AUTHORITY, CN = CA Company Name, emailAddress = XXX at XXXX
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
?0 s:/C=US/ST=State/L=Town/O=Company Name/OU=IT
Department/CN=some.server.host/emailAddress=XXX at XXXX
?? i:/C=US/ST=State/L=Town/O=Company Name/OU=CERTIFICATION
AUTHORITY/CN=CA Company Name/emailAddress=XXX at XXXX
-----BEGIN CERTIFICATE-----
MIIGUzCCBDsCCQC0iFO/81SS6DANBgkqhkiG9w0BAQ0FADCBsDELMAkGA1UEBhMC
SEsxDjAMBgNVBAgMBUhLU0FSMRAwDgYDVQQHDAdDZW50cmFsMRYwFAYDVQQKDA1D
b2xvc3NhbCBNaW5kMSAwHgYDVQQLDBdDRVJUSUZJQ0FUSU9OIEFVVEhPUklUWTEZ
MBcGA1UEAwwQQ0EgQ29sb3NzYWwgTWluZDEqMCgGCSqGSIb3DQEJARYbcGV0ZXIu
a2FobEBjb2xvc3NhbG1pbmQuY29tMB4XDTE5MDYyOTA1MzA0NloXDTI0MDYyOTA1
MzA0NlowgaUxCzAJBgNVBAYTAkhLMQ4wDAYDVQQIDAVIS1NBUjEQMA4GA1UEBwwH
Q2VudHJhbDEWMBQGA1UECgwNQ29sb3NzYWwgTWluZDEWMBQGA1UECwwNSVQgRGVw
...........
B9Kuzi4+x3+3W/Hpzup+cGu/Rm3BrZ9EQuLU0l8/51o5++VJ0eYjO8sXmnf/OD9g
m4SHlaIv1I9iF6xDbFSqVDhoyXZfci+Fp9Yg8IfdnRPuyhm+A9n80IpOVptMkHgH
5WHuteE3p7ZWz0sCHXihbt6P03Sp8VrN8TzBkRVDaGMMEErXq17dbX6FAWzcwreA
I9MyC457hKbNvkRuMWyYTuTWXXAA15sCyyLsG6LuOuH0nexW7NdwipKzNq6QAtqT
Evt/+OmEhVrQFllEeW9KT2AKab8FA4/F4SHBl8J1JMeZ+jgJ9DWeRYgUUGzj82bu
7nI27hEgpmT3Oz2a5WGbHRl7ryTNcPkYx1UOo1/7dIN8dZDRxdK31ZcXhwfRs/bu
YBt/NGRaiAv5+RsA+qytjmgLZyTWjyAeKSHsL+OU4R5IvrLOpl6O
-----END CERTIFICATE-----
?1 s:/C=US/ST=State/L=Town/O=Company Name/OU=CERTIFICATION
AUTHORITY/CN=CA Company Name/emailAddress=XXX at XXXX
?? i:/C=US/ST=State/L=Town/O=Company Name/OU=CERTIFICATION
AUTHORITY/CN=CA Company Name/emailAddress=XXX at XXXX
-----BEGIN CERTIFICATE-----
MIIF3jCCA8YCCQDf2f6HjwgkqTANBgkqhkiG9w0BAQ0FADCBsDELMAkGA1UEBhMC
SEsxDjAMBgNVBAgMBUhLU0FSMRAwDgYDVQQHDAdDZW50cmFsMRYwFAYDVQQKDA1D
b2xvc3NhbCBNaW5kMSAwHgYDVQQLDBdDRVJUSUZJQ0FUSU9OIEFVVEhPUklUWTEZ
MBcGA1UEAwwQQ0EgQ29sb3NzYWwgTWluZDEqMCgGCSqGSIb3DQEJARYbcGV0ZXIu
a2FobEBjb2xvc3NhbG1pbmQuY29tMB4XDTE1MDYxNDA0MDA1OVoXDTI1MDYxMTA0
MDA1OVowgbAxCzAJBgNVBAYTAkhLMQ4wDAYDVQQIDAVIS1NBUjEQMA4GA1UEBwwH
Q2VudHJhbDEWMBQGA1UECgwNQ29sb3NzYWwgTWluZDEgMB4GA1UECwwXQ0VSVElG
................
riwfRMSnfXTQWtv1pkV+vGk02tuZQSatY6v18Uw0EdeuwfrV8n4WBYXCbzDQoQsa
Jipzub5H/5u8nIIUFPFeTeqnaRihjFJfFQkTH8lteVkq0ctRHVF4Il0OfigW4Q0j
CJ/jcarQ5gQa8l1SOZIj1OqwEYaLeruc7U6gn+PEZPhxw0jPJBCjo3eBI4sIpWOe
JpB0S1JHhzFLnyZTQmat0qDxbmWW/PqYj8TAGskBTh+OVdqvxXVbNVv9pUtVV/oy
x8l7mOfPWYQlbhD+b7Rk2Qc+o6ohL5XXCm66vJoMbD86eaMegtcLrq7eG03I8EfO
F8seAmJ4aQ89dlFvcbLwdhYoDq02BtcoCLkSQlRTng3pdMuITdSoTczbusmPlvI6
dOw+FBqbIL+bAGHdUrQJJgZ5MhbN6V+a/Ntkn7ByaYRPO0yAJ0DrytkGR6tCzNLs
egZqM8EcD56riKdlGv2OSe2+
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=State/L=Town/O=Company Name/OU=IT
Department/CN=some.server.host/emailAddress=XXX at XXXX
issuer=/C=US/ST=State/L=Town/O=Company Name/OU=CERTIFICATION
AUTHORITY/CN=CA Company Name/emailAddress=XXX at XXXX
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4074 bytes and written 373 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 5120 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
??? Protocol? : TLSv1.3
??? Cipher??? : TLS_AES_256_GCM_SHA384
??? Session-ID:
??? Session-ID-ctx:
??? Resumption PSK:
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
??? PSK identity: None
??? PSK identity hint: None
??? SRP username: None
??? Start Time: 1561802629
??? Timeout?? : 7200 (sec)
??? Verify return code: 19 (self signed certificate in certificate chain)
??? Extended master secret: no
??? Max Early Data: 0
---
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
LITERAL+ AUTH=PLAIN] Dovecot.
I confirm the same problem described by *Hauke Fath* on 11 Jan 2018.
Mozilla Thunderbird connects fine but iOS Mail does not.
Dovecot log:
1561801584 imap-login: Info: Disconnected (no auth attempts in 1 secs):
user=<>, rip=X.X.X.X, lip=X.X.X.X, TLS handshaking: Connection closed
1561801592 imap-login: Info: Disconnected (no auth attempts in 6 secs):
user=<>, rip=X.X.X.X, lip=X.X.X.X, TLS handshaking: SSL_accept() failed:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown: SSL alert number 46
Kind regards,
Peter
On 11.01.2018 13:20, Hauke Fath wrote:
>/On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote: />>/Was the
certificate path bundled in the server certificate? />/No, as a separate
file, provided from the local (intermediate) CA: />//>/ssl_cert =
</etc/openssl/certs/server.cert />/ssl_key =
</etc/openssl/private/server.key />/ssl_ca =
</etc/openssl/certs/ca-cert-chain.pem />//>/Worked fine with 2.2.x, 2.3
gives />//>/% openssl s_client -connect XXX:993 />/CONNECTED(00000006)
/>/depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische
Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
/>/verify error:num=20:unable to get local issuer certificate />/verify
return:1 />/depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische
Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
/>/verify error:num=21:unable to verify the first certificate />/verify
return:1 />/--- />/Certificate chain />/0
s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
/>/Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
/>/i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
/>/Darmstadt/CN=TUD CA G01/emailAddress=tud-ca at hrz.tu-darmstadt.de
<https://dovecot.org/mailman/listinfo/dovecot> />/--- />/Server
certificate />/-----BEGIN CERTIFICATE----- />/[...] />/% />//
Seems we might've made a unexpected change here when we revamped the ssl
code. Can you try if it works if you concatenate the cert and cert-chain
to single file? We'll start looking if this is misunderstanding or bug.
Aki
-----------------------------------------------------------------
Hi Aki,
I believe that Dovecot 2.3.6 sends only one certificate even though my
Dovecot uses two concatenated certificates.
Thanks for looking into this.
Regards,
Peter