As can be seen from your post, the certficate being sent does NOT have pop.commerce.uk.net as the common name (CN) of the Subject: the CN is 'localhost'.
It appears to be some kind of canned test certificate and private key, but I'm not familiar enough with UW-IMAP to know if it comes with such a beast. Maybe you concatented the wrong files? ====================== Greg Stark [EMAIL PROTECTED] ====================== ----- Original Message ----- From: "Corin Hartland-Swann" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, October 26, 2001 11:00 AM Subject: Problems with pop3s on Outlook Express > > Hi there, > > I have been trying to set up pop3s access using UW-IMAP. I am using > Mandrake Linux 8.1, with UW-IMAP and OpenSSL installed as RPMs, so I don't > think that there are any compilation problems. > > I hope that it is acceptable to post this to both the OpenSSL and the > UW-IMAP mailing lists, as I'm not sure where the problem lies. I have > already searched the archives for both lists to no avail. > > I have followed instructions from various sources and done the following: > > 1) Created a new CA, and exported the certificate as DER: > > # openssl req -new -x509 -config openssl.conf -keyout private/ca-key.pem \ > -out certs/ca-cert.pem -days 365 > > # openssl x509 -in certs/ca-cert.pem -out certs/ca-cert.der -outform der > > 2) Imported the CA certificate into Explorer on Windows 2000, checked that > it is listed and that the SHA1 thumbprint matches, and that it is enabled > for Secure E-Mail. > > 3) Imported the CA certificate into Explorer on MacOS 9.1, and checked > that it is listed. In this case, even after several attempts, the > "fingerprint" listed by Explorer does not match any of the MD2, MD5, SHA1 > or MDC2 fingerprints. I don't understand this, but am fairly sure that > no-one is intercepting and replacing the key in transit. explorer > produces the same fingerprint each time, so it doesn't look like it has > been corrupted either. Eventually I decided to just add the certificate > and see what happened. > > 3) Set up Outlook Express on both Windows 2000 and MacOS 9.1 to use > pop.commerce.uk.net, and configured it to use SSL on port 995. > > 4) Created a new key, and sign it with the CA with the common name > 'pop.commerce.uk.net': > > # openssl req -new -nodes -config openssl.conf -days 365 -keyout \ > pop-key.pem -out pop-req.pem > # openssl ca -config openssl.conf -policy policy_anything -in pop-req.pem \ > -out pop-cert.pem > > 5) Concatenated pop-key.pem and pop-cert.pem into ipop3sd.pem (removing > the text version), placing them on the POP server in /usr/lib/ssl/certs/, > and created a link to it with the name of the hash: > > # cd /usr/lib/ssl/certs/ > # ln -s ipop3sd.pem `openssl x509 -noout -hash < ipop3sd.pem `.0 > # ls -l > lrwxrwxrwx 1 root root 11 Oct 26 13:27 a37eafc7.0 -> ipop3sd.pem > -rw------- 1 root root 2376 Oct 26 02:01 ipop3sd.pem > > 6) Tested the setup with (long response indented): > > # openssl s_client -connect pop.commerce.uk.net:pop3s > > CONNECTED(00000003) > > depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet > > Server/OU=Test SSL Certificate/CN=localhost > > verify error:num=20:unable to get local issuer certificate > > verify return:1 > > depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet > > Server/OU=Test SSL Certificate/CN=localhost > > verify error:num=27:certificate not trusted > > verify return:1 > > depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet > > Server/OU=Test SSL Certificate/CN=localhost > > verify error:num=21:unable to verify the first certificate > > verify return:1 > > --- > > Certificate chain > > 0 s:/C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet Server/OU=Test > > SSL Certificate/CN=localhost > > i:/C=CA/ST=QC/L=Montreal/O=Advanced Extranet Server/OU=Secure Web > > Division/CN=Advanced Extranet [EMAIL PROTECTED] > > The Apache binary I'm using is from an RPM based on the Apache Advanced > Extranet Server project - I'm not sure what this is doing here. I can't > find a certificate for AAES anywhere, and certainly not in > /usr/lib/ssl/certs/ > > > Server certificate > > -----BEGIN CERTIFICATE----- > > MIICujCCAiMCAQEwDQYJKoZIhvcNAQEEBQAwgbsxCzAJBgNVBAYTAkNBMQswCQYD > > <snip> > > > 4DHr8RxsPMpJktVBLB4HadC13ykLMVDMgJ88W39E > > -----END CERTIFICATE----- > > subject=/C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet > > Server/OU=Test SSL Certificate/CN=localhost > > issuer=/C=CA/ST=QC/L=Montreal/O=Advanced Extranet Server/OU=Secure Web > > Division/CN=Advanced Extranet [EMAIL PROTECTED] > > --- > > No client certificate CA names sent > > --- > > SSL handshake has read 856 bytes and written 320 bytes > > --- > > New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA > > Server public key is 1024 bit > > SSL-Session: > > Protocol : TLSv1 > > Cipher : DES-CBC3-SHA > > Session-ID: > > 6A6D0C3C40E1D4921514C5DB2EF475DD6454B84F7300980D53373906B3236C7C > > Session-ID-ctx: > > Master-Key: > > D467F520688186F34EF6984439B9FE3D01F2F23FEB6A4E721C2F33692CC39F864C2BA86C0AC5 E0A343879B63ADB274E2 > > Key-Arg : None > > Start Time: 1004105856 > > Timeout : 300 (sec) > > Verify return code: 21 (unable to verify the first certificate) > > --- > > +OK POP3 v2000.70mdk server ready <[EMAIL PROTECTED]> > > So it appears to be finding the certificate, but doesn't seem to know > which CA authorised it. > > When I try the Outlook setup, I get a message saying "The server you are > connected to is using a security certificate that does not match its > Internet address". When I googled for this message I found numerous people > saying that this is because the common name on the certificate does not > match the host name specified in the preferences - this is not the case > here, both of them are 'pop.commerce.uk.net'. If I hit "No" it gives me a > further error message "Error Number 0x800CCC1A" > > I tried the same setup on Outlook Express for Macintosh, and this gives me > a messages saying "Unable to establish a secure connection to localhost. > There is a problem with the security certificate from that server. Use > Internet Explorer to install the correct certificate. If you continue, the > information you view and send will not be secure." If I hit "Stop" it > gives me a further error message "The identity certificate has expired. > Error 3002". > > On both Windows 2000 and MacOS 9.1, if I tell it to proceed anyway then it > correctly downloads e-mail over the secure connection. My problem is how > to get rid of these messages, and make Outlook correctly identify the POP > server. > > I have tried importing the mail server certificate into Explorer on both > platforms (although I'm fairly sure you don't have to do this, and that it > is sent when the SSL connection is established). That didn't help. > > I have also tried putting the CA certificate onto the server in > /usr/lib/ssl/certs/ - but that didn't help either, or change the messasge > I got above using s_client. > > Does anyone have any suggestions of what I might be doing wrong? If it > helps then please feel free to connect to pop.commerce.uk.net:pop3s using > s_client. > > Many Thanks, > > Corin > > /------------------------+-------------------------------------\ > | Corin Hartland-Swann | Tel: +44 (0) 20 7491 2000 | > | Commerce Internet Ltd | Fax: +44 (0) 20 7491 2010 | > | 22 Cavendish Buildings | Mobile: +44 (0) 79 5854 0027 | > | Gilbert Street | | > | Mayfair | Web: http://www.commerce.uk.net/ | > | London W1K 5HJ | E-Mail: [EMAIL PROTECTED] | > \------------------------+-------------------------------------/ > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
