Bug#608344: claws-mail should look into /etc/ssl/certs to find certificate.
On 12/31/2010 02:36 PM, Ricardo Mones wrote: Why is strange? You don't have installed the client certificate under ~/.claws-mail/certs for your server so it has to download it and ask you for verification. If it's correct you should accept it. Did you? I have /etc/ssl/certs/cacert.org.pem with which signed my server certificate. What verification you are talking about? All programs must trust certificates signed with CA in /etc/ssl/certs/ without any questions. -- sergio. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#608344: claws-mail should look into /etc/ssl/certs to find certificate.
On Fri, 31 Dec 2010 05:40:31 +0300 sergio mail...@sergio.spb.ru wrote: On 12/31/2010 03:18 AM, Ricardo Mones wrote: That seems fine, and is the default configuration, but you referred to a Debian CAcert root certificate, which is not among these (there's a debconf one and a SPI one, but no certificate called Debian exists). Sorry, I haven't understood. I'm talking about CAcert. It is free certificate authority, and their root certificate comes in o ca-certificates. And have my server, with certificate signed by CAcert. % openssl x509 -text -in /etc/ssl/certs/cacert.org.pem ... Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailaddress=supp...@cacert.org Validity Not Before: Mar 30 12:29:49 2003 GMT Not After : Mar 29 12:29:49 2033 GMT Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailaddress=supp...@cacert.org ... Right, but that's not Debian CAcert, which was my point and the bit which was misleading me. I'm absolutely sure that this is claws-mail bug, because all other programs works well. (mutt, icedove, iceweasel, psi, gajim, gaim and many other). If ca-certificates not installed, all this programs (except of mozilla) shows ssl warning. If ca-certificates installed all this programs trust my server. There's probably a lot of users (me among them) which use claws-mail with SSL everyday, so I'm also absolutely sure claws-mail has no bug here, but it's a problem with your configuration or your expectations :) In any case, once you're sure the certificate is correctly installed and trusted, please launch claws-mail --debug debug.log 21... I don't think, that all log is interested. Of course, but I don't know you, so I don't know if you can separate the interesting parts from the uninteresting ones. Glad to know you can. I've substituted path to home and my imap server with $HOME and $SERVER Folder $HOME/.claws-mail/certs doesn't exists. This is where client certificates are stored. ... [05:04:22] IMAP4 1 STARTTLS [05:04:22] IMAP4 1 OK Begin TLS negotiation now imap-thread.c:1174:imap starttls run - end 0 imap-thread.c:403:generic_cb imap-thread.c:1217:imap starttls - end ssl_certificate.c:433:didn't get $HOME/.claws-mail/certs/$SERVER.143.cert ssl_certificate.c:571:got 142 certs in ca_list! 0xff8890ac ssl_certificate.c:571:got 142 certs in ca_list! 0xff888edc ... I've just reread warning, that claws shows, it's strange: Why is strange? You don't have installed the client certificate under ~/.claws-mail/certs for your server so it has to download it and ask you for verification. If it's correct you should accept it. Did you? Unknown SSL Certificate Certificate for equator.ru.net is unknown. Do you want to accept it? Signature status: Correct View certificate Owner Name: equator.ru.net Organization: not in certificate Location: not in certificate Signer Name: CA Cert Signing Authority Organization: Root CA Location: not in certificate Status Fingerprint: MD5: md5hash SHA1: sha1hash Signature Status: Correct Expires on: 11/03/18(Fri) 20:59 -- sergio. regards, -- Ricardo Mones http://people.debian.org/~mones «Abandon the search for Truth; settle for a good fantasy.» signature.asc Description: PGP signature
Bug#608344: claws-mail should look into /etc/ssl/certs to find certificate.
tags 608344 moreinfo thanks On Thu, 30 Dec 2010 04:52:00 +0300 sergio mail...@sergio.spb.ru wrote: Package: claws-mail Version: 3.7.8-1 Severity: normal Debian has CAcert root certificate. But claws-mail don't looks for certificates in /etc/ssl/certs and Your diagnostic is not correct as you can verify by reading the source code in file src/common/ssl.c -- The functions claws_ssl_get_cert_file and claws_ssl_get_cert_dir do include that directory and its corresponding certificate file in the search. I can't securely connect to server with CAcert-signed certificate. Right, that's the problem, but that's not much info to solve it, so let's start with the basic. Please reply this mail and paste the output of the following two commands: $ dpkg -l ca-certificates $ ls -l /etc/ssl/certs/ca-certificates.crt regards, -- Ricardo Mones http://people.debian.org/~mones «It usually takes more than three weeks to prepare a good impromptu speech. -- Mark Twain» signature.asc Description: PGP signature
Bug#608344: claws-mail should look into /etc/ssl/certs to find certificate.
$ dpkg -l ca-certificates | grep ca-certificates ii ca-certificate 20090814+nmu2 Common CA certificates $ ls -l /etc/ssl/certs/ca-certificates.crt -rw-r--r-- 1 root root 217K Oct 19 10:14 /etc/ssl/certs/ca-certificates.crt -- sergio. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#608344: claws-mail should look into /etc/ssl/certs to find certificate.
On Thu, 30 Dec 2010 17:48:20 +0300 sergio mail...@sergio.spb.ru wrote: $ dpkg -l ca-certificates | grep ca-certificates ii ca-certificate 20090814+nmu2 Common CA certificates $ ls -l /etc/ssl/certs/ca-certificates.crt -rw-r--r-- 1 root root 217K Oct 19 10:14 /etc/ssl/certs/ca-certificates.crt That seems fine, and is the default configuration, but you referred to a Debian CAcert root certificate, which is not among these (there's a debconf one and a SPI one, but no certificate called Debian exists). So either that's not the right name and you meant some other in the ca-certificates package (which one?) or you tried to install that new certificate without luck. If it's the second case you should read /usr/share/doc/ca-certificates/README.Debian for how to do it and have it installed and trusted before continuing. In any case, once you're sure the certificate is correctly installed and trusted, please launch claws-mail --debug debug.log 21 in a terminal and try to connect to the server which is failing. Attach back the generated debug.log file. Also feel free to manually replace actual names or logins you don't want to be published with other meaningful but fake tokens before sending it. regards, -- Ricardo Mones http://people.debian.org/~mones «Too much is just enough. -- Mark Twain, on whiskey» signature.asc Description: PGP signature
Bug#608344: claws-mail should look into /etc/ssl/certs to find certificate.
On 12/31/2010 03:18 AM, Ricardo Mones wrote: That seems fine, and is the default configuration, but you referred to a Debian CAcert root certificate, which is not among these (there's a debconf one and a SPI one, but no certificate called Debian exists). Sorry, I haven't understood. I'm talking about CAcert. It is free certificate authority, and their root certificate comes in o ca-certificates. And have my server, with certificate signed by CAcert. % openssl x509 -text -in /etc/ssl/certs/cacert.org.pem ... Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailaddress=supp...@cacert.org Validity Not Before: Mar 30 12:29:49 2003 GMT Not After : Mar 29 12:29:49 2033 GMT Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailaddress=supp...@cacert.org ... I'm absolutely sure that this is claws-mail bug, because all other programs works well. (mutt, icedove, iceweasel, psi, gajim, gaim and many other). If ca-certificates not installed, all this programs (except of mozilla) shows ssl warning. If ca-certificates installed all this programs trust my server. In any case, once you're sure the certificate is correctly installed and trusted, please launch claws-mail --debug debug.log 21... I don't think, that all log is interested. I've substituted path to home and my imap server with $HOME and $SERVER Folder $HOME/.claws-mail/certs doesn't exists. ... [05:04:22] IMAP4 1 STARTTLS [05:04:22] IMAP4 1 OK Begin TLS negotiation now imap-thread.c:1174:imap starttls run - end 0 imap-thread.c:403:generic_cb imap-thread.c:1217:imap starttls - end ssl_certificate.c:433:didn't get $HOME/.claws-mail/certs/$SERVER.143.cert ssl_certificate.c:571:got 142 certs in ca_list! 0xff8890ac ssl_certificate.c:571:got 142 certs in ca_list! 0xff888edc ... I've just reread warning, that claws shows, it's strange: Unknown SSL Certificate Certificate for equator.ru.net is unknown. Do you want to accept it? Signature status: Correct View certificate Owner Name: equator.ru.net Organization: not in certificate Location: not in certificate Signer Name: CA Cert Signing Authority Organization: Root CA Location: not in certificate Status Fingerprint: MD5: md5hash SHA1: sha1hash Signature Status: Correct Expires on: 11/03/18(Fri) 20:59 -- sergio. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#608344: claws-mail should look into /etc/ssl/certs to find certificate.
Package: claws-mail Version: 3.7.8-1 Severity: normal Debian has CAcert root certificate. But claws-mail don't looks for certificates in /etc/ssl/certs and I can't securely connect to server with CAcert-signed certificate. -- System Information: Debian Release: 6.0 APT prefers squeeze APT policy: (500, 'squeeze'), (500, 'unstable'), (200, 'experimental') Architecture: i386 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
