From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/83144
Path: news.gmane.org!not-for-mail
From: Steinar Bang <sb@dod.no>
Newsgroups: gmane.emacs.gnus.general
Subject: SSL problems on dovecot 2.1.7
Date: Thu, 09 May 2013 11:53:44 +0200
Organization: Probably a good idea
Message-ID: <87txmceaxj.fsf@dod.no>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1368093369 3248 80.91.229.3 (9 May 2013 09:56:09 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Thu, 9 May 2013 09:56:09 +0000 (UTC)
To: ding@gnus.org
Original-X-From: ding-owner+M31410@lists.math.uh.edu Thu May 09 11:56:10 2013
Return-path: <ding-owner+M31410@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from util0.math.uh.edu ([129.7.128.18])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <ding-owner+M31410@lists.math.uh.edu>)
	id 1UaNa3-00005l-OO
	for ding-account@gmane.org; Thu, 09 May 2013 11:56:08 +0200
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by util0.math.uh.edu with smtp (Exim 4.63)
	(envelope-from <ding-owner+M31410@lists.math.uh.edu>)
	id 1UaNY1-0003lV-Ov; Thu, 09 May 2013 04:54:01 -0500
Original-Received: from mx2.math.uh.edu ([129.7.128.33])
	by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.63)
	(envelope-from <ding-account@m.gmane.org>)
	id 1UaNXz-0003lM-Ud
	for ding@lists.math.uh.edu; Thu, 09 May 2013 04:53:59 -0500
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx2.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.76)
	(envelope-from <ding-account@m.gmane.org>)
	id 1UaNXx-0004tb-4y
	for ding@lists.math.uh.edu; Thu, 09 May 2013 04:53:59 -0500
Original-Received: from plane.gmane.org ([80.91.229.3])
	by quimby.gnus.org with esmtp (Exim 4.72)
	(envelope-from <ding-account@m.gmane.org>)
	id 1UaNXv-0001Xi-5m
	for ding@gnus.org; Thu, 09 May 2013 11:53:55 +0200
Original-Received: from list by plane.gmane.org with local (Exim 4.69)
	(envelope-from <ding-account@m.gmane.org>)
	id 1UaNXt-00066W-Ik
	for ding@gnus.org; Thu, 09 May 2013 11:53:53 +0200
Original-Received: from cm-84.208.246.141.getinternet.no ([84.208.246.141])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ding@gnus.org>; Thu, 09 May 2013 11:53:53 +0200
Original-Received: from sb by cm-84.208.246.141.getinternet.no with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ding@gnus.org>; Thu, 09 May 2013 11:53:53 +0200
X-Injected-Via-Gmane: http://gmane.org/
Mail-Followup-To: ding@gnus.org
Original-Lines: 94
Original-X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: cm-84.208.246.141.getinternet.no
Mail-Copies-To: never
User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/23.4 (gnu/linux)
Cancel-Lock: sha1:fWzmrXGfYJgdgs6fZwLlkVYr4Z4=
X-Spam-Score: -3.1 (---)
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:83144
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/83144>

When I upgraded my debian-based imap server from squeeze to wheezy
yesterday, SSL stopped working.

I am using a http://cacert.org signed server sertificate, and I am
reusing the certificates that were used on the 1.x dovecot of debian
squeeze.

My three MUAs that worked against the previous 1.x dovecot with the same
certificate, now fails in various ways.

Any hints and guesses as to how to debug this further will be highly
appreciated.  Even more appreciated will be a pin point of the issue. :-)

Here are the error messages from the MUAs:
 - Emacs24(w/linked-in gnutls)/Ma Gnus 0.8 (Gnus git HEAD) on Windows 7 says
   "imap.mydomain.com certificate could not be verified."
 - Emacs23/Ma Gnus 0.8 (also Gnus git HEAD) on debian testing (with
   Emacs23 gnutls-cli is run in a subprocess), says:
   "Opening connection to imap.mydomain.com via tls...
    Opening TLS connection to `imap.mydomain.com'...
    Opening TLS connection with `gnutls-cli --insecure -p 993 imap.mydomain.com'...done
   Opening TLS connection to `imap.mydomain.com'...done
   Unable to open server nnimap+privat due to: Process *nnimap* not running"
 - Opera 12.15 (to see if this was Gnus related only) on Windows 7 just reports:
   "The connection with the IMAP server was unexpectedly interrupted."

When I try running gnutls-cli from the command line of the debian
testing machine (the same gnutls-cli that is used by the emacs23/gnus
combo), it seems to connect ok (the transcript of that session is
below).

The config for the SSL, from /etc/dovecot/conf.d/10-ssl.conf, is:

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/ssl/certs/imap_mydomain_com.pem
ssl_key = </etc/ssl/private/imap_mydomain_com.key


The access privileges of the files, are:
-rw-r--r-- 1 root root 2077 Mar 27 12:45 /etc/ssl/certs/imap_mydomain_com.pem
-rw------- 1 root root 3243 Jul 12  2011 /etc/ssl/private/imap_mydomain_com.key


What follows, is the transcript from the gnutls-cli session from a
debian testing machine to the server (which seems to be working as far
as I can tell...):

sb@edwards:~$ gnutls-cli -p 993 rainey.mydomain.com
WARNING: gnome-keyring:: couldn't connect to: /home/sb/.cache/keyring-yeEdM3/pkcs11: No such file or directory
Resolving 'rainey.mydomain.com'...
Connecting to '212.110.185.190:993'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1023 bits
 - Peer's public key: 1023 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `CN=imap.mydomain.com', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org', RSA key 4096 bits, signed using RSA-SHA1, activated `2013-03-27 12:43:30 UTC', expires `2013-09-23 12:43:30 UTC', SHA-1 fingerprint `86f8a501bca1e2b0eadc677bf05b103d298ce247'
- The hostname in the certificate does NOT match 'rainey.mydomain.com'
sb@edwards:~$ gnutls-cli -p 993 imap.mydomain.com
WARNING: gnome-keyring:: couldn't connect to: /home/sb/.cache/keyring-yeEdM3/pkcs11: No such file or directory
Resolving 'imap.mydomain.com'...
Connecting to '212.110.185.190:993'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1022 bits
 - Peer's public key: 1021 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `CN=imap.mydomain.com', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org', RSA key 4096 bits, signed using RSA-SHA1, activated `2013-03-27 12:43:30 UTC', expires `2013-09-23 12:43:30 UTC', SHA-1 fingerprint `86f8a501bca1e2b0eadc677bf05b103d298ce247'
- The hostname in the certificate matches 'imap.mydomain.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

* OK Waiting for authentication process to respond..
- Peer has closed the GnuTLS connection