[dovecot] Re: Something wrong in SSL ?

Juha Ylitalo juha.o.ylitalo at nokia.com
Mon Apr 14 08:56:04 EEST 2003 

On Sat, 2003-04-12 at 18:14, ext Timo Sirainen wrote:
> On Fri, 2003-04-11 at 09:41, Juha Ylitalo wrote:
> > If I try same openssl s_client command on my web server, it gets
> > everything correctly. As result from this one, I've even tried to use
> > certificate from my web server with IMAP and even then openssl keeps on
> > saying that there is bad record mac.
> > 
> > Is this bug in dovecot's SSL handling or have I managed to mess
> > something in my setup?
> 
> Did you compile Dovecot with GNUTLS or OpenSSL? If GNUTLS, maybe there's
> some problems with it. If OpenSSL .. well, I don't know really. I don't
> have any problems with mutt, Evolution, Outlook or OE at least.

Its compiled with openssl, since that is default option for dovecot in
FreeBSD ports (and since openssl is pretty much in all Linux/BSD boxes
it would be silly to use something else on those).
Here is more concrete example on how things go wrong. This test is based
on instructions in http://mutt.sourceforge.net/imap/README.SSL and I
will first demonstrate how it works with Apache (which workds
beatifully) and then with imap (which doesn't work):
########
### WITH HTTPS
########
bash-2.05a$ openssl s_client -host localhost -port 443 -verify -debug
2>&1 > https.log
verify depth is 0
depth=0 /C=FI/ST=Finland/O=Juha Ylitalo/CN=jylitalo.homeip.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=FI/ST=Finland/O=Juha Ylitalo/CN=jylitalo.homeip.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=FI/ST=Finland/O=Juha Ylitalo/CN=jylitalo.homeip.net
verify error:num=21:unable to verify the first certificate
verify return:1
^]close
########
### WITH IMAPS
########
bash-2.05a$ openssl s_client -host localhost -port 993 -verify -debug
2>&1 > imaps.log
verify depth is 0
depth=0 /C=FI/ST=Finland/O=Juha Ylitalo/CN=jylitalo.homeip.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=FI/ST=Finland/O=Juha Ylitalo/CN=jylitalo.homeip.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=FI/ST=Finland/O=Juha Ylitalo/CN=jylitalo.homeip.net
verify error:num=21:unable to verify the first certificate
verify return:1
66460:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record
mac:/usr/src/secure/lib/libssl/../../../crypto/openssl/crypto/../ssl/s3_pkt.c:1046:SSL alert number 20
66460:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/crypto/../ssl/s23_lib.c:226:
bash-2.05a$ 

-- 
Juha Ylitalo       juha.o.ylitalo at nokia.com           <work e-mail>
+358 40 562 6152   http://linux.nokia.com/~jylitalo/  <work www>

-------------- next part --------------
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=FI/ST=Finland/O=Juha Ylitalo/CN=jylitalo.homeip.net
   i:/C=FI/ST=Finland/L=Helsinki/O=Juha Ylitalo/CN=Juha Ylitalo/Email=jylitalo at iki.fi
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEDzCCA7mgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCRkkx
EDAOBgNVBAgTB0ZpbmxhbmQxETAPBgNVBAcTCEhlbHNpbmtpMRUwEwYDVQQKEwxK
dWhhIFlsaXRhbG8xFTATBgNVBAMTDEp1aGEgWWxpdGFsbzEeMBwGCSqGSIb3DQEJ
ARYPanlsaXRhbG9AaWtpLmZpMB4XDTAzMDMyNjIxNDA0OVoXDTA0MDMyNTIxNDA0
OVowVDELMAkGA1UEBhMCRkkxEDAOBgNVBAgTB0ZpbmxhbmQxFTATBgNVBAoTDEp1
aGEgWWxpdGFsbzEcMBoGA1UEAxMTanlsaXRhbG8uaG9tZWlwLm5ldDCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAzpvc/kFQxlk6qjp5B+kTeoj2C5rQ13up7VF+
MCIUEVuro010m5W+rR/2chu2c05DkWATad1udBWss4kH57ac2jBEgc9Kvngkvy5m
YzZhyWt/xGaSdQcgoO7Uy8K0hYkTsUjyMw6OGo4KjhCIpI0vbrOtLQncSavLgTdl
4guupSsCAwEAAaOCAgMwggH/MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZA
MEAGCWCGSAGG+EIBDQQzFjFDZXJ0aWZpY2F0ZSBpc3N1ZWQgYnkgaHR0cDovL3d3
dy5pa2kuZmkvanlsaXRhbG8vMB0GA1UdDgQWBBQH1GMjDRQ/Rkns++h7NNmhubld
DjCBrQYDVR0jBIGlMIGigBT8l2HdIe3A4V8GM6o83EZ62vsHU6GBhqSBgzCBgDEL
MAkGA1UEBhMCRkkxEDAOBgNVBAgTB0ZpbmxhbmQxETAPBgNVBAcTCEhlbHNpbmtp
MRUwEwYDVQQKEwxKdWhhIFlsaXRhbG8xFTATBgNVBAMTDEp1aGEgWWxpdGFsbzEe
MBwGCSqGSIb3DQEJARYPanlsaXRhbG9AaWtpLmZpggEAMC4GCWCGSAGG+EIBAgQh
Fh9odHRwczovL2p5bGl0YWxvLmhvbWVpcC5uZXQvY2EvMDAGA1UdEgQpMCeGJWh0
dHBzOi8vanlsaXRhbG8uaG9tZWlwLm5ldC9jYS9jYS5jcnQwNgYDVR0fBC8wLTAr
oCmgJ4YlaHR0cHM6Ly9qeWxpdGFsby5ob21laXAubmV0L2NhL2NhLmNybDA0Bglg
hkgBhvhCAQQEJxYlaHR0cHM6Ly9qeWxpdGFsby5ob21laXAubmV0L2NhL2NhLmNy
bDANBgkqhkiG9w0BAQQFAANBAAlNhvDVOirSEtHiV8uRFfUdQnhCPjtk0Hm70sxE
gJzMke6ysra6BYrDL4mpMOS252U9JeqcGQyhqzlNHDXAV0M=
-----END CERTIFICATE-----
subject=/C=FI/ST=Finland/O=Juha Ylitalo/CN=jylitalo.homeip.net
issuer=/C=FI/ST=Finland/L=Helsinki/O=Juha Ylitalo/CN=Juha Ylitalo/Email=jylitalo at iki.fi
---
No client certificate CA names sent
---
SSL handshake has read 1599 bytes and written 314 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 857DC023D37DF585E8E49EFA554634D68878AC3B776F43DFB3B9089DAB58D026
    Session-ID-ctx: 
    Master-Key: 1578B2EC2D10A14C074E9832CBEEFB92C2BFC9FC81E588889176AF89D46E1619F3592B02EA193CAC9AF0EEAFE6E112E9
    Key-Arg   : None
    Start Time: 1050299499
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>501 Method Not Implemented</TITLE>
</HEAD><BODY>
<H1>Method Not Implemented</H1>
close to /index.html not supported.<P>
Invalid method in request \x1dclose<P>
</BODY></HTML>
closed
-------------- next part --------------
CONNECTED(00000003)

More information about the dovecot mailing list