Hi All-
I'm completely baffled about a problem I'm having. I recently put up a new
primary mail server. It is solaris 8, sendmail-8.12.11, openssl-0.9.7d. I have
a self-signed certificate and it is installed per the SSLBUILD instructions in
/usr/local/ssl/certs/imapd.pem and copied the same file to ipopd.pem. To
compile uw imap I did a plain, straight forward "make gso." Here's the weird
part: imap over ssl works perfectly. Only pop has a problem.
Using pop on Netscape 7 or Eudora 6, my server generates this error:
ipop3d[4372]:
[ID 890198 mail.alert] Unable to load certificate from
/usr/local/ssl/certs/ipop3d.pem
Using s_client, I get this:
openssl s_client -connect localhost:995 -showcerts
Mar 29 09:41:42 acrux ipop3d[7094]: [ID 890198 mail.alert] Unable to load
certificate from /usr/local/ssl/certs/ipop3d.pem, host=localhost [127.0.0.1]
CONNECTED(00000003)
7093:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:
However, if I connect to the imap port I get this:
openssl s_client -connect localhost:993 -showcerts
CONNECTED(00000003)
depth=0
/CN=acrux.ligo.caltech.edu/ST=California/C=US/[EMAIL PROTECTED]/O
=LIGO Project/OU=caltech
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
/CN=acrux.ligo.caltech.edu/ST=California/C=US/[EMAIL PROTECTED]/O
=LIGO Project/OU=caltech
verify error:num=27:certificate not trusted
verify return:1
depth=0
/CN=acrux.ligo.caltech.edu/ST=California/C=US/[EMAIL PROTECTED]/O
=LIGO Project/OU=caltech
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0
s:/CN=acrux.ligo.caltech.edu/ST=California/C=US/[EMAIL PROTECTED]
/O=LIGO Project/OU=caltech
i:/CN=Becrux CA/ST=California/C=US/[EMAIL PROTECTED]/O=LIGO
Certification Authority
-----BEGIN CERTIFICATE-----
MIIDFzCCAf+gAwIBAgIBHDANBgkqhkiG9w0BAQQFADCBgTESMBAGA1UEAxMJQmVj
cnV4IENBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMQswCQYDVQQGEwJVUzEiMCAGCSqG
SIb3DQEJARYTY2FAbGlnby5jYWx0ZWNoLmVkdTElMCMGA1UEChMcTElHTyBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNDAzMjkwNzU3MTVaFw0wOTAzMjgwNzU3
MTVaMIGQMR8wHQYDVQQDExZhY3J1eC5saWdvLmNhbHRlY2guZWR1MRMwEQYDVQQI
EwpDYWxpZm9ybmlhMQswCQYDVQQGEwJVUzEiMCAGCSqGSIb3DQEJARYTY2FAbGln
by5jYWx0ZWNoLmVkdTEVMBMGA1UEChMMTElHTyBQcm9qZWN0MRAwDgYDVQQLEwdj
YWx0ZWNoMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDjxjw8Tpomsf+zM5Xn
azeutyUQXRbB7V4kJRJXzG1dELikxVyRyjbIHwfdiH+gD+P0M21J7pAMGi8Fgjy9
pmNGGpsYUgMFx+BDDkEr9gdxg2vWpmQccos42hvMGL/8N+ZxFnvh/OPXXCTTqFbG
7uzI0ltVm7sa6wR+d6Y4uhATJQIDAQABow0wCzAJBgNVHRMEAjAAMA0GCSqGSIb3
DQEBBAUAA4IBAQAWSX5IKZoN053YUOu/s+s0ay/Ny6zHyZRyS36BIquPPxFGwve0
an3A9CApgi5tVbxBp2vobrlLJ5kPFTNi07V1PF5WOOTCQWvE5QJmJ/N5/Bxvm4p5
1wBo0nyEb9PqqeWUXNNHuQ+eMukczAeydPQzQVqhvN8NSpgKIjj3r7icMDK+xaHY
dMrK3hkqIoP09FgFng9S3Gm+8dQqn7eK8MjC0fCRYX7/YCrpjmo9CWPzd/EUwIVa
wRQfi3ZY7yc6dyMNqfh0+XQoRklZ6oKVXfkBGm1LV1HmmTyR8TAVKg9629pMr0fT
TmRFPzPtiEA3DLjxhUvIiVonxfwqgg5CPyhV
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=acrux.ligo.caltech.edu/ST=California/C=US/[EMAIL PROTECTED]
ch.edu/O=LIGO Project/OU=caltech
issuer=/CN=Becrux CA/ST=California/C=US/[EMAIL PROTECTED]/O=LIGO
Certification Authority
---
No client certificate CA names sent
---
SSL handshake has read 957 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 593BBBE25B22226C032BA882354A0BEFE3C9B0B7B41B7EBF0C6C6C252E4670A8
Session-ID-ctx:
Master-Key:
3C36C1048411643D76C894EA56250339EDD31266823872C33C3791DF6589268204D5FA84DB9C2F20
F1DBBF932342B017
Key-Arg : None
Start Time: 1080582177
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
* OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS AUTH=PLAIN
AUTH=LOGIN] localhost IMAP4rev1 2003.346 at Mon, 29 Mar 2004 09:42:57 -0800
(PST)
Any insight you all can offer would be greatly appreciated.
Thanks-
Lisa
-------------------------
Lisa Bogue
System Administration Group
Ligo Project
[EMAIL PROTECTED]
phone: 626-395-8739
--
------------------------------------------------------------------
For information about this mailing list, and its archives, see:
http://www.washington.edu/imap/c-client-list.html
------------------------------------------------------------------
