Hi there,
I have been trying to set up pop3s access using UW-IMAP. I am using
Mandrake Linux 8.1, with UW-IMAP and OpenSSL installed as RPMs, so I don't
think that there are any compilation problems.
I hope that it is acceptable to post this to both the OpenSSL and the
UW-IMAP mailing lists, as I'm not sure where the problem lies. I have
already searched the archives for both lists to no avail.
I have followed instructions from various sources and done the following:
1) Created a new CA, and exported the certificate as DER:
# openssl req -new -x509 -config openssl.conf -keyout private/ca-key.pem \
-out certs/ca-cert.pem -days 365
# openssl x509 -in certs/ca-cert.pem -out certs/ca-cert.der -outform der
2) Imported the CA certificate into Explorer on Windows 2000, checked that
it is listed and that the SHA1 thumbprint matches, and that it is enabled
for Secure E-Mail.
3) Imported the CA certificate into Explorer on MacOS 9.1, and checked
that it is listed. In this case, even after several attempts, the
"fingerprint" listed by Explorer does not match any of the MD2, MD5, SHA1
or MDC2 fingerprints. I don't understand this, but am fairly sure that
no-one is intercepting and replacing the key in transit. explorer
produces the same fingerprint each time, so it doesn't look like it has
been corrupted either. Eventually I decided to just add the certificate
and see what happened.
3) Set up Outlook Express on both Windows 2000 and MacOS 9.1 to use
pop.commerce.uk.net, and configured it to use SSL on port 995.
4) Created a new key, and sign it with the CA with the common name
'pop.commerce.uk.net':
# openssl req -new -nodes -config openssl.conf -days 365 -keyout \
pop-key.pem -out pop-req.pem
# openssl ca -config openssl.conf -policy policy_anything -in pop-req.pem \
-out pop-cert.pem
5) Concatenated pop-key.pem and pop-cert.pem into ipop3sd.pem (removing
the text version), placing them on the POP server in /usr/lib/ssl/certs/,
and created a link to it with the name of the hash:
# cd /usr/lib/ssl/certs/
# ln -s ipop3sd.pem `openssl x509 -noout -hash < ipop3sd.pem `.0
# ls -l
lrwxrwxrwx 1 root root 11 Oct 26 13:27 a37eafc7.0 -> ipop3sd.pem
-rw------- 1 root root 2376 Oct 26 02:01 ipop3sd.pem
6) Tested the setup with (long response indented):
# openssl s_client -connect pop.commerce.uk.net:pop3s
> CONNECTED(00000003)
> depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet
> Server/OU=Test SSL Certificate/CN=localhost
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet
> Server/OU=Test SSL Certificate/CN=localhost
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet
> Server/OU=Test SSL Certificate/CN=localhost
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet Server/OU=Test
> SSL Certificate/CN=localhost
> i:/C=CA/ST=QC/L=Montreal/O=Advanced Extranet Server/OU=Secure Web
> Division/CN=Advanced Extranet [EMAIL PROTECTED]
The Apache binary I'm using is from an RPM based on the Apache Advanced
Extranet Server project - I'm not sure what this is doing here. I can't
find a certificate for AAES anywhere, and certainly not in
/usr/lib/ssl/certs/
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIICujCCAiMCAQEwDQYJKoZIhvcNAQEEBQAwgbsxCzAJBgNVBAYTAkNBMQswCQYD
<snip>
> 4DHr8RxsPMpJktVBLB4HadC13ykLMVDMgJ88W39E
> -----END CERTIFICATE-----
> subject=/C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet
> Server/OU=Test SSL Certificate/CN=localhost
> issuer=/C=CA/ST=QC/L=Montreal/O=Advanced Extranet Server/OU=Secure Web
> Division/CN=Advanced Extranet [EMAIL PROTECTED]
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 856 bytes and written 320 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
> Server public key is 1024 bit
> SSL-Session:
> Protocol : TLSv1
> Cipher : DES-CBC3-SHA
> Session-ID:
> 6A6D0C3C40E1D4921514C5DB2EF475DD6454B84F7300980D53373906B3236C7C
> Session-ID-ctx:
> Master-Key:
>
>D467F520688186F34EF6984439B9FE3D01F2F23FEB6A4E721C2F33692CC39F864C2BA86C0AC5E0A343879B63ADB274E2
> Key-Arg : None
> Start Time: 1004105856
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> +OK POP3 v2000.70mdk server ready <[EMAIL PROTECTED]>
So it appears to be finding the certificate, but doesn't seem to know
which CA authorised it.
When I try the Outlook setup, I get a message saying "The server you are
connected to is using a security certificate that does not match its
Internet address". When I googled for this message I found numerous people
saying that this is because the common name on the certificate does not
match the host name specified in the preferences - this is not the case
here, both of them are 'pop.commerce.uk.net'. If I hit "No" it gives me a
further error message "Error Number 0x800CCC1A"
I tried the same setup on Outlook Express for Macintosh, and this gives me
a messages saying "Unable to establish a secure connection to localhost.
There is a problem with the security certificate from that server. Use
Internet Explorer to install the correct certificate. If you continue, the
information you view and send will not be secure." If I hit "Stop" it
gives me a further error message "The identity certificate has expired.
Error 3002".
On both Windows 2000 and MacOS 9.1, if I tell it to proceed anyway then it
correctly downloads e-mail over the secure connection. My problem is how
to get rid of these messages, and make Outlook correctly identify the POP
server.
I have tried importing the mail server certificate into Explorer on both
platforms (although I'm fairly sure you don't have to do this, and that it
is sent when the SSL connection is established). That didn't help.
I have also tried putting the CA certificate onto the server in
/usr/lib/ssl/certs/ - but that didn't help either, or change the messasge
I got above using s_client.
Does anyone have any suggestions of what I might be doing wrong? If it
helps then please feel free to connect to pop.commerce.uk.net:pop3s using
s_client.
Many Thanks,
Corin
/------------------------+-------------------------------------\
| Corin Hartland-Swann | Tel: +44 (0) 20 7491 2000 |
| Commerce Internet Ltd | Fax: +44 (0) 20 7491 2010 |
| 22 Cavendish Buildings | Mobile: +44 (0) 79 5854 0027 |
| Gilbert Street | |
| Mayfair | Web: http://www.commerce.uk.net/ |
| London W1K 5HJ | E-Mail: [EMAIL PROTECTED] |
\------------------------+-------------------------------------/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
