Discussion:
SSL issues when proxying
Ralf Hildebrandt
2014-09-25 12:22:30 UTC
Permalink
I'm getting this in the log when proxying IMAP (three "valid
certificate" messages, two "Invalid certificate" messages)

Why is dovecot (acting as a proxy to another dovecot instance here) not
recognizing the StartCom Extended Validation Server CA?

. LOGIN ralf.hildebrandt at charite.de mypassword
Sep 25 14:13:04 auth-worker(30859): Info: mysql(sql.charite.de): Connected to database mailservice
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x10, ret=1: before/connect initialization [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: before/connect initialization [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: unknown state [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1002, ret=-1: unknown state [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server hello A [127.0.0.1]
Sep 25 14:13:04 imap-login: Info: Invalid certificate: unable to get local issuer certificate: /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA
Sep 25 14:13:04 imap-login: Info: Invalid certificate: certificate not trusted: /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA
Sep 25 14:13:04 imap-login: Info: Valid certificate: /C=DE/ST=Berlin/L=Berlin/postalCode=12205/street=Charitestrasse 1/O=Charite Universitaetsmedizin/CN=imap.charite.de/emailAddress=postmaster at charite.de/serialNumber=HRAxxxx/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.1=Mitte/1.3.6.1.4.1.311.60.2.1.2=Berlin/1.3.6.1.4.1.311.60.2.1.3=DE
Sep 25 14:13:04 imap-login: Info: Valid certificate: /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA
Sep 25 14:13:04 imap-login: Info: Valid certificate: /C=DE/ST=Berlin/L=Berlin/postalCode=12205/street=Charitestrasse 1/O=Charite Universitaetsmedizin/CN=imap.charite.de/emailAddress=postmaster at charite.de/serialNumber=HRAxxxx/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.1=Mitte/1.3.6.1.4.1.311.60.2.1.2=Berlin/1.3.6.1.4.1.311.60.2.1.3=DE
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server certificate A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server key exchange A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server done A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 write client key exchange A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 write change cipher spec A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 write finished A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 flush data [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1002, ret=-1: SSLv3 read server session ticket A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1002, ret=-1: SSLv3 read server session ticket A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server session ticket A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read finished A [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [127.0.0.1]
Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1002, ret=1: SSL negotiation finished successfully [127.0.0.1]
. OK [CAPABILITY ...
--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstra?e 15, 81669 M?nchen

Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Steffen Kaiser
2014-09-25 12:33:37 UTC
Permalink
Date: Thu, 25 Sep 2014 14:22:30 +0200
From: Ralf Hildebrandt <r at sys4.de>
To: dovecot at dovecot.org
Subject: SSL issues when proxying
I'm getting this in the log when proxying IMAP (three "valid
certificate" messages, two "Invalid certificate" messages)
does one of your proxies or servers is missing a root CA? Or do your hosts
query a cert database or something like that?
Can you validate the cert on all hosts via openssl manually?

- --
Steffen Kaiser
lst_hoe02
2014-09-25 12:32:37 UTC
Permalink
Post by Ralf Hildebrandt
I'm getting this in the log when proxying IMAP (three "valid
certificate" messages, two "Invalid certificate" messages)
Why is dovecot (acting as a proxy to another dovecot instance here) not
recognizing the StartCom Extended Validation Server CA?
Forgot to include the matching intermediate CA maybe?

Regards

Andi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5958 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140925/a0b17996/attachment.p7s>
Ralf Hildebrandt
2014-09-25 12:37:12 UTC
Permalink
Post by lst_hoe02
Post by Ralf Hildebrandt
I'm getting this in the log when proxying IMAP (three "valid
certificate" messages, two "Invalid certificate" messages)
Why is dovecot (acting as a proxy to another dovecot instance here) not
recognizing the StartCom Extended Validation Server CA?
Forgot to include the matching intermediate CA maybe?
Certificate chain
0 s:/C=DE/ST=Berlin/L=Berlin/postalCode=...
i:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA
1 s:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority

Oh bloody hell. I do have "StartCom Extended Validation Server CA" but
not "StartCom Certification Authority".

MEH!
--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstra?e 15, 81669 M?nchen

Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Loading...