dovecot - Feb 2019 - password protected ssl key seems unsupported after update to 2.3.4.1

Hi,

On a debian server after an update to dovecot to 2.3.4.1 imaps mail client stop
working.
I?ve applied necessary migration for ssl_dh (cf
https://wiki.dovecot.org/Upgrading/2.3
<https://wiki.dovecot.org/Upgrading/2.3> ) but that was not enough. The
workaround I?ve setup was to remove password protection from the ssl_key file.
All tests with ssl_key_password parameter failled (direct password,
<path-file-with-password)

searching I?ve found a message reporting a problem with that parameter and
Stephan said it was tracked internally as DOP-851

Hope this will help.

Regards,
Franck

debian updade from dovecot-core:amd64 (1:2.2.34-2~bpo9+1, 1:2.3.4.1-1~bpo9+1)

# dovecot -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.19.0-0.bpo.2-amd64 x86_64 Debian 9.8 xfs
?/?

The error message in the log prior to the workaround was : "dovecot:
imap-login: Error: Failed to initialize SSL server context: Couldn't parse
private SSL key: error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt, error:23077074:PKCS12
routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error, error:2306A075:PKCS12
routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error, error:0907B00D:PEM
routines:PEM_read_bio_PrivateKey:ASN1 lib: user=<>, rip=192.168.0.254,
lip=192.168.0.51, session=<thtmP6iCc9jAqAD+> ?




-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190224/6b259970/attachment.html>

It's in our backlog, but not fixed yet.

Aki

On 24.2.2019 21.30, admin--- via dovecot wrote:
> Hi,
>
> On a debian server after an update to dovecot to 2.3.4.1 imaps mail
> client stop working.
> I?ve applied?necessary migration for ssl_dh
> (cf?https://wiki.dovecot.org/Upgrading/2.3?) but that was not enough.
> The workaround I?ve setup was to remove password protection from the
> ssl_key file. All tests with?ssl_key_password parameter failled
> (direct password, <path-file-with-password)
>
> searching I?ve found a message reporting a problem with that parameter
> and Stephan said it was tracked internally as?DOP-851
>
> Hope this will help.
>
> Regards,
> Franck
>
> debian updade from dovecot-core:amd64 (1:2.2.34-2~bpo9+1,
> 1:2.3.4.1-1~bpo9+1)
>
> # dovecot -n
> # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.4 ()
> # OS: Linux 4.19.0-0.bpo.2-amd64 x86_64 Debian 9.8 xfs
> ?/?
>
> The error message in the log prior to the workaround was : "dovecot:
> imap-login: Error: Failed to initialize SSL server context: Couldn't
> parse private SSL key: error:06065064:digital envelope
> routines:EVP_DecryptFinal_ex:bad decrypt,?error:23077074:PKCS12
> routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error,
> error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe
> crypt error, error:0907B00D:PEM?routines:PEM_read_bio_PrivateKey:ASN1
> lib: user=<>, rip=192.168.0.254, lip=192.168.0.51,
> session=<thtmP6iCc9jAqAD+>??
>
>
>
>

Thanks for that quick answer. Apart from this mailing list, is there a way to
follow the work on a precise ticket? If not, by curiosity, what is the reason?

Franck  
> Le 25 f?vr. 2019 ? 09:33, Aki Tuomi via dovecot <dovecot at
dovecot.org> a ?crit :
> 
> It's in our backlog, but not fixed yet.
> 
> Aki
> 
> On 24.2.2019 21.30, admin--- via dovecot wrote:
>> Hi,
>> 
>> On a debian server after an update to dovecot to 2.3.4.1 imaps mail
>> client stop working.
>> I?ve applied necessary migration for ssl_dh
>> (cf https://wiki.dovecot.org/Upgrading/2.3 ) but that was not enough.
>> The workaround I?ve setup was to remove password protection from the
>> ssl_key file. All tests with ssl_key_password parameter failled
>> (direct password, <path-file-with-password)
>> 
>> searching I?ve found a message reporting a problem with that parameter
>> and Stephan said it was tracked internally as DOP-851
>> 
>> Hope this will help.
>> 
>> Regards,
>> Franck
>> 
>> debian updade from dovecot-core:amd64 (1:2.2.34-2~bpo9+1,
>> 1:2.3.4.1-1~bpo9+1)
>> 
>> # dovecot -n
>> # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
>> # Pigeonhole version 0.5.4 ()
>> # OS: Linux 4.19.0-0.bpo.2-amd64 x86_64 Debian 9.8 xfs
>> ?/?
>> 
>> The error message in the log prior to the workaround was :
"dovecot:
>> imap-login: Error: Failed to initialize SSL server context:
Couldn't
>> parse private SSL key: error:06065064:digital envelope
>> routines:EVP_DecryptFinal_ex:bad decrypt, error:23077074:PKCS12
>> routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error,
>> error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe
>> crypt error, error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1
>> lib: user=<>, rip=192.168.0.254, lip=192.168.0.51,
>> session=<thtmP6iCc9jAqAD+> ?
>> 
>> 
>> 
>>