dovecot - Apr 2020 - Dovecot IMAPS : Thunderbird SSL cert issue / Evolution OK

Recently thunderbird and Dovecot IMAPS cannot agree on SSL however 
Evolution, on the exact same system, is working fine with the same 
accounts. Tried recreating the Dovecot cert and also the thunderbird 
accounts from scratch. The OpenSSL raw client works fine as well.

Would someone also confirm the openssl commands to create a selfsigned 
cert for dovecot imaps.  They cert created does work with evolution; 
just not thunderbird.

Thoughts?

Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() 
failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad 
certificate: SSL alert number 42
Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in 
0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept() 
failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad 
certificate: SSL alert number 42, session=<-->
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1: 
before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: 
before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: 
before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: 
before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: 
SSLv3/TLS read client hello
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: 
SSLv3/TLS write server hello
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: 
SSLv3/TLS write change cipher spec
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: 
TLSv1.3 write encrypted extensions
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: 
SSLv3/TLS write certificate
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: 
TLSv1.3 write server certificate verify
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: 
SSLv3/TLS write finished
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: 
TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: 
TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: 
TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: 
TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: 
TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004, 
ret=554: fatal bad certificate
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: 
error
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept() 
failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad 
certificate: SSL alert number 42
Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth 
attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking: 
SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 
alert bad certificate: SSL alert number 42, session=<--->

reference
http://forums.debian.net/viewtopic.php?f=5&t=145849

<!doctype html>
<html><head>
    <meta charset="UTF-8">
</head><body><div><br></div><blockquote
type="cite"><div>On 30/04/2020 14:49 <a
href="mailto:hanasaki@gmail.com">hanasaki@gmail.com</a>
<<a
href="mailto:hanasaki@gmail.com">hanasaki@gmail.com</a>>
wrote:</div><div><br></div><div><br></div><div>Recently
thunderbird and Dovecot IMAPS cannot agree on SSL
however</div><div>Evolution, on the exact same system, is working
fine with the same</div><div>accounts. Tried recreating the Dovecot
cert and also the thunderbird</div><div>accounts from scratch. The
OpenSSL raw client works fine as
well.</div><div><br></div><div>Would someone also
confirm the openssl commands to create a selfsigned</div><div>cert
for dovecot imaps. They cert created does work with
evolution;</div><div>just not
thunderbird.</div><div><br></div><div>Thoughts?</div><div><br></div><div>Apr
8 18:10:18 hh dovecot: imap-login: Debug: SSL error:
SSL_accept()</div><div>failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3 alert bad</div><div>certificate: SSL
alert number 42</div><div>Apr 8 18:10:18 hh dovecot: imap-login:
Disconnected (no auth attempts in</div><div>0 secs): user=<>,
rip=000, lip=0000 TLS handshaking: SSL_accept()</div><div>failed:
error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert
bad</div><div>certificate: SSL alert number 42,
session=<--></div><div>Apr 8 18:10:19 hh dovecot: imap-login:
Debug: SSL: where=0x10, ret=1:</div><div>before SSL
initialization</div><div>Apr 8 18:10:19 hh dovecot: imap-login:
Debug: SSL: where=0x2001, ret=1:</div><div>before SSL
initialization</div><div>Apr 8 18:10:19 hh dovecot: imap-login:
Debug: SSL: where=0x2002, ret=-1:</div><div>before SSL
initialization</div><div>Apr 8 18:10:19 hh dovecot: imap-login:
Debug: SSL: where=0x2001, ret=1:</div><div>before SSL
initialization</div><div>Apr 8 18:10:19 hh dovecot: imap-login:
Debug: SSL: where=0x2001, ret=1:</div><div>SSLv3/TLS read client
hello</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:</div><div>SSLv3/TLS write server
hello</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:</div><div>SSLv3/TLS write change cipher
spec</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:</div><div>TLSv1.3 write encrypted
extensions</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug:
SSL: where=0x2001, ret=1:</div><div>SSLv3/TLS write
certificate</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug:
SSL: where=0x2001, ret=1:</div><div>TLSv1.3 write server certificate
verify</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:</div><div>SSLv3/TLS write
finished</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug:
SSL: where=0x2001, ret=1:</div><div>TLSv1.3 early
data</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1:</div><div>TLSv1.3 early
data</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1:</div><div>TLSv1.3 early
data</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1:</div><div>TLSv1.3 early
data</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1:</div><div>TLSv1.3 early
data</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL
alert: where=0x4004,</div><div>ret=554: fatal bad
certificate</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug:
SSL: where=0x2002, ret=-1:</div><div>error</div><div>Apr
8 18:10:19 hh dovecot: imap-login: Debug: SSL error:
SSL_accept()</div><div>failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3 alert bad</div><div>certificate: SSL
alert number 42</div><div>Apr 8 18:10:19 firewall dovecot:
imap-login: Disconnected (no auth</div><div>attempts in 0 secs):
user=<>, rip=000, lip=00, TLS
handshaking:</div><div>SSL_accept() failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3</div><div>alert bad certificate: SSL
alert number 42,
session=<---></div><div><br></div><div>reference</div><div><a
href="http://forums.debian.net/viewtopic.php?f=5&t=145849"
rel="noopener"
target="_blank">http://forums.debian.net/viewtopic.php?f=5&t=145849</a></div></blockquote><div><br></div><div>You
are missing intermediate certs from your certfile. Put them after cert in order
towards root.</div><div
class="io-ox-signature"><pre>---
Aki Tuomi</pre></div></body></html>
 

Hello,

This is a selfsigned cert.  Both of the below methods were used.

May I ask for 1. pointer to info setting up "intermediate certs" and 
where the certfile goes?

The objective is to generate a self-signed cert and use it for just 
internal use with IMAPS dovecot.

Separately, what are your thoughts as to why evolution works and 
thunderbird does not?

Thank you,

==1 

openssl genrsa -out key.pem 2048 

openssl req -new -sha512 -key key.pem -out csr.csr 

openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out 
certificate.pem
openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA"
&& echo

==2
openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout 
mykey.key -out mycert.pem


On 4/30/20 8:11 AM, Aki Tuomi wrote:
> 
>> On 30/04/2020 14:49 hanasaki at gmail.com <mailto:hanasaki at
gmail.com>
>> <hanasaki at gmail.com <mailto:hanasaki at gmail.com>>
wrote:
>>
>>
>> Recently thunderbird and Dovecot IMAPS cannot agree on SSL however
>> Evolution, on the exact same system, is working fine with the same
>> accounts. Tried recreating the Dovecot cert and also the thunderbird
>> accounts from scratch. The OpenSSL raw client works fine as well.
>>
>> Would someone also confirm the openssl commands to create a selfsigned
>> cert for dovecot imaps. They cert created does work with evolution;
>> just not thunderbird.
>>
>> Thoughts?
>>
>> Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept()
>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>> certificate: SSL alert number 42
>> Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts
in
>> 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept()
>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>> certificate: SSL alert number 42, session=<-->
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1:
>> before SSL initialization
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> before SSL initialization
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1:
>> before SSL initialization
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> before SSL initialization
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> SSLv3/TLS read client hello
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> SSLv3/TLS write server hello
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> SSLv3/TLS write change cipher spec
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> TLSv1.3 write encrypted extensions
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> SSLv3/TLS write certificate
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> TLSv1.3 write server certificate verify
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> SSLv3/TLS write finished
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> TLSv1.3 early data
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1:
>> TLSv1.3 early data
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1:
>> TLSv1.3 early data
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1:
>> TLSv1.3 early data
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1:
>> TLSv1.3 early data
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004,
>> ret=554: fatal bad certificate
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1:
>> error
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept()
>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>> certificate: SSL alert number 42
>> Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth
>> attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking:
>> SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3
>> alert bad certificate: SSL alert number 42, session=<--->
>>
>> reference
>> http://forums.debian.net/viewtopic.php?f=5&t=145849 
>> <http://forums.debian.net/viewtopic.php?f=5&t=145849>
> 
> You are missing intermediate certs from your certfile. Put them after 
> cert in order towards root.
> 
> ---
> Aki Tuomi
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hanasaki.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200430/067816da/attachment-0001.vcf>