[Dovecot] SSL with startssl.com certificates

Reindl Harald h.reindl at thelounge.net
Wed Oct 9 23:15:00 EEST 2013


Am 09.10.2013 22:09, schrieb Eliezer Croitoru:
> On 10/09/2013 10:55 PM, Reindl Harald wrote:
>>
>>
>> Am 09.10.2013 21:45, schrieb Eliezer Croitoru:
>>> On 10/09/2013 10:31 PM, Reindl Harald wrote:
>>>>
>>>>
>>>> Am 09.10.2013 21:27, schrieb Eliezer Croitoru:
>>>>> On 09/13/2013 02:59 PM, Dan Langille wrote:
>>>>>>
>>>>>> *** /var/log/maillog ***
>>>>>> Sep 13 11:50:46 imaps dovecot: imap-login: Warning: SSL failed:
>>>>>> where=0x2002: SSLv3 read client certificate A [166.137.84.11]
>>>>>> Sep 13 11:50:46 imaps dovecot: imap-login: Disconnected (no auth
>>>>>> attempts in 1 secs): user=<>, rip=166.137.84.11, lip=199.233.228.197,
>>>>>> TLS handshaking: Disconnected, session=<a7AJd0LmWwCmiVQL>
>>>>> How about tring to use a username to identify the user??
>>>>> it is very clear that there is nothing that the client tries to do...
>>>>
>>>> it is much more clear that there is no username if the client
>>>> refuses the SSL handshake because it does not like the cert
>>>> or the offered ssl-ciphers
>>>>
>>>> user=<> is pretty normal in a lot of cases
>>>>
>>>> * ssl cert not accepted and not allowed by the user in case of untrusted
>>>> * no cipher the client accpets
>>>> * no auth-mech the client accepts offered by the server
>>>>
>>>> so how do *you* imagine to see a username in the log?
>>>>
>>> I expect that StarSSL will put a good configuration examples for Apache Postfix Dovecot Exim nginx and more..
>>
>> not their job and not part of the problem
>>
>> * your client accepts a certificate
>> * your client does not accept your certificate
>>
>> in case it does not *you* as enduser have to accept/import the servers cert
>>
>> http://stackoverflow.com/questions/10879370/startssl-class-1-certificate-not-accepted-by-browser-weblogic-10-0-1
>> http://www.startssl.com/?app=25#31
>>
>> if someone does not know what a "intermediate CA" he needs to RTFM or *read*
>> messages of his client or buy by all major clients acepted certificates
>>
>> but that all has less to do with your blunty "it is very clear that there is nothing that
>> the client tries to do" showing that you have zero expierience how a client handshake
>> works -> it does not send usernames or even passwords until it is not satisfied
>> with the negotiation of auth-mechs and ssl-handshake
>>
> I Would try to use StartSSL with squid and I will see if the docs in squid ssl-bump explains the subject in a way I
> can understand

RTFM http://www.startssl.com/?app=25 or go to http://www.thawte.com/

> As Dan explained his major problem is with specific encryption cypher in a very specific size..
> I would imaging that 4k bits certificate handshake and validation can take more then 1 sec..
> Am I right about it?

why in the world should it take more than 1 second?
and even if - how does this matter?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20131009/9638361e/attachment-0001.bin>


More information about the dovecot mailing list