Re: Dovecot IMAPS : Thunderbird SSL cert issue / Evolution OK

hanas...@gmail.com Mon, 04 May 2020 10:20:09 -0700

== resend to list = requested by list owner

On 4/30/20 2:47 PM, hanas...@gmail.com wrote:

I would expect the public cert to be imported as a "server" not an "auth"

The attached image shows that TBird wants an httpS url for a webserver, for the source.

Ages ago, I think it prompted for "do you want to trust this new cert" and YES added it (assuming that is the public key) to the server list. A bit confused by this.

<see attached thunderbird image>

On 4/30/20 2:41 PM, Aki Tuomi wrote:
I see. You need to import the cert into thundebird's trusted ca certs.

Aki

On 30/04/2020 21:36 hanas...@gmail.com <hanas...@gmail.com> wrote:

Hello,

This is a selfsigned cert. Both of the below methods were used.

May I ask for 1. pointer to info setting up "intermediate certs" and

where the certfile goes?

The objective is to generate a self-signed cert and use it for just

internal use with IMAPS dovecot.

Separately, what are your thoughts as to why evolution works and

thunderbird does not?

Thank you,

==1

openssl genrsa -out key.pem 2048

openssl req -new -sha512 -key key.pem -out csr.csr

openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out

certificate.pem

openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA" && echo

==2

openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout

mykey.key -out mycert.pem

On 4/30/20 8:11 AM, Aki Tuomi wrote:

On 30/04/2020 14:49 hanas...@gmail.com <mailto:hanas...@gmail.com>

<hanas...@gmail.com <mailto:hanas...@gmail.com>> wrote:

>>

>> Recently thunderbird and Dovecot IMAPS cannot agree on SSL however

>> Evolution, on the exact same system, is working fine with the same

>> accounts. Tried recreating the Dovecot cert and also the thunderbird

>> accounts from scratch. The OpenSSL raw client works fine as well.

>>

>> Would someone also confirm the openssl commands to create a selfsigned

>> cert for dovecot imaps. They cert created does work with evolution;

>> just not thunderbird.

>>

>> Thoughts?

>>

>> Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept()

>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad

>> certificate: SSL alert number 42

>> Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in

>> 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept()

>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad

>> certificate: SSL alert number 42, session=<-->

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1:

>> before SSL initialization

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:

>> before SSL initialization

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:

>> before SSL initialization

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:

>> before SSL initialization

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:

>> SSLv3/TLS read client hello

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:

>> SSLv3/TLS write server hello

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:

>> SSLv3/TLS write change cipher spec

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:

>> TLSv1.3 write encrypted extensions

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:

>> SSLv3/TLS write certificate

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:

>> TLSv1.3 write server certificate verify

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:

>> SSLv3/TLS write finished

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:

>> TLSv1.3 early data

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:

>> TLSv1.3 early data

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:

>> TLSv1.3 early data

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:

>> TLSv1.3 early data

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:

>> TLSv1.3 early data

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004,

>> ret=554: fatal bad certificate

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:

>> error

>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept()

>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad

>> certificate: SSL alert number 42

>> Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth

>> attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking:

>> SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3

>> alert bad certificate: SSL alert number 42, session=<--->

>>

>> reference

>> http://forums.debian.net/viewtopic.php?f=5&t=145849

>> <http://forums.debian.net/viewtopic.php?f=5&t=145849>

You are missing intermediate certs from your certfile. Put them after

cert in order towards root.

---

Aki Tuomi
---
Aki Tuomi

Re: Dovecot IMAPS : Thunderbird SSL cert issue / Evolution OK

Reply via email to