On 11.01.2018 13:20, Hauke Fath wrote:
>/On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote: />>/Was the
certificate path bundled in the server certificate? />/No, as a separate
file, provided from the local (intermediate) CA: />//>/ssl_cert =
</etc/openssl/certs/server.cert />/ssl_key =
</etc/openssl/private/server.key />/ssl_ca =
</etc/openssl/certs/ca-cert-chain.pem />//>/Worked fine with 2.2.x, 2.3
gives />//>/% openssl s_client -connect XXX:993 />/CONNECTED(00000006)
/>/depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische
Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
/>/verify error:num=20:unable to get local issuer certificate />/verify
return:1 />/depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische
Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
/>/verify error:num=21:unable to verify the first certificate />/verify
return:1 />/--- />/Certificate chain />/0
s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
/>/Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
/>/i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
/>/Darmstadt/CN=TUD CA G01/emailAddress=tud-ca at hrz.tu-darmstadt.de
<https://dovecot.org/mailman/listinfo/dovecot> />/--- />/Server
certificate />/-----BEGIN CERTIFICATE----- />/[...] />/% />//
Seems we might've made a unexpected change here when we revamped the ssl
code. Can you try if it works if you concatenate the cert and cert-chain
to single file? We'll start looking if this is misunderstanding or bug.
Aki
-----------------------------------------------------------------
Hi Aki,
I believe that Dovecot 2.3.6 sends only one certificate even though my
Dovecot uses two concatenated certificates.
Thanks for looking into this.
Regards,
Peter
On 2.7.2019 8.06, Peter via dovecot wrote:> ?? On 11.01.2018 13:20, Hauke Fath wrote: > ?? >/On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote: />>/Was the > certificate path bundled in the server certificate? />/No, as a > separate file, provided from the local (intermediate) CA: > />//>/ssl_cert = </etc/openssl/certs/server.cert />/ssl_key > </etc/openssl/private/server.key />/ssl_ca > </etc/openssl/certs/ca-cert-chain.pem />//>/Worked fine with 2.2.x, > 2.3 gives />//>/% openssl s_client -connect XXX:993 > />/CONNECTED(00000006) />/depth=0 C = DE, ST = Hessen, L = Darmstadt, > O = Technische > ?? Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de > />/verify error:num=20:unable to get local issuer certificate > />/verify return:1 />/depth=0 C = DE, ST = Hessen, L = Darmstadt, O > Technische > ?? Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de > />/verify error:num=21:unable to verify the first certificate > />/verify return:1 />/--- />/Certificate chain />/0 > s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet > />/Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de > />/i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet > />/Darmstadt/CN=TUD CA G01/emailAddress=tud-ca at hrz.tu-darmstadt.de > ?? <https://dovecot.org/mailman/listinfo/dovecot> />/--- />/Server > certificate />/-----BEGIN CERTIFICATE----- />/[...] />/% />// > ?? Seems we might've made a unexpected change here when we revamped > the ssl > ?? code. Can you try if it works if you concatenate the cert and > cert-chain > ?? to single file? We'll start looking if this is misunderstanding or > bug. > > ?? Aki > > ----------------------------------------------------------------- > > Hi Aki, > > I believe that Dovecot 2.3.6 sends only one certificate even though my > Dovecot uses two concatenated certificates. > > Thanks for looking into this. > > Regards, > PeterHi! Can you provide readable output of openssl s_client -connect host:993 Aki
Hi Aki, I failed to disclose that the described problem occurs on iOS 13.0 beta. After trying again and again, it appears that a bug in iOS 13.0 beta is the likely culprit. I am reading on Reddit that there is some bug in iOS with certificate trust... https://www.reddit.com/r/signal/comments/c2q6c6/anyone_using_signal_in_ios_13_beta_iphone/ Kind regards, Peter Kahl -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190703/2cec2fe5/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x526F0AC69C48DEE4.asc Type: application/pgp-keys Size: 3147 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20190703/2cec2fe5/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20190703/2cec2fe5/attachment.sig>
On 3 Jul 2019, at 02:55, Peter Kahl via dovecot <dovecot at dovecot.org> wrote:> I failed to disclose that the described problem occurs on iOS 13.0 beta. > > After trying again and again, it appears that a bug in iOS 13.0 beta is the likely culprit. I am reading on Reddit that there is some bug in iOS with certificate trust...I am accessing my dovecot mail via iOS 13 beta without issue. (noe on eta 3, but had no issues with beta 2 or 3. Well, no issues with MAIL that is). I am running current doevcot. I just opened the mail client on my phone: imap(kremels at kreme.com)<12940><14ffIdeMDf9JDqGg>: ID sent: name=iPhone Mail, version=17A5522f, os=iOS, os-version=13.0 (17A5522f)