[Dovecot] Enabling even more debug info for SSL/TLS handling during handshaking?

Timo Sirainen tss at iki.fi
Thu Mar 19 01:57:47 EET 2009


On Thu, 2009-03-19 at 00:37 +0100, Johan Persson wrote:
> I'm working with a an IMAP client for a S60 (Nokia) phone and we are having a 
> small problem (not in Dovecot!) but somewhere deep in our own system which has 
> to do with certificates that are self signed.
> 
> Somehow in some circumstance if you accept a self-signed certificate as an
> exception then the client will send a strange command to the imap-login which 
> it doesn't recognize. We are quite sure this is a problem in our own system 
> and not with Dovecot

So it's not easily reproducible?

> Since we have no access to the certificate (SSL/TLS) handling code we are a 
> bit at loss here and have to "proof" to "the other" guys in Finland that it's 
> there fault :-)

You mean a bug in S60 libraries?

> imap-login: Disconnected (no auth attempts): rip=some.ip.address 
> user_name=192.168.0.2, TLS handshaking: SSL_accept() failed: 
> error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpectedmessage
..
> Is there some more debugging we could enable to see exactly the type of wrong 
> command the SSL/certificate handling are send in the handshake procedure ?
> 
> (We have all the debug and/or the auth_* flags in dovecot.conf enabled 
> already)

verbose_ssl=yes makes Dovecot log all errors/warnings that OpenSSL can
tell (AFAIK). Perhaps you could use this:

http://crypto.stanford.edu/~eujin/sslsniffer/index.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090318/5bffc16a/attachment.bin 


More information about the dovecot mailing list