When I upgraded my debian-based imap server from squeeze to wheezy yesterday, SSL stopped working.
I am using a http://cacert.org signed server sertificate, and I am reusing the certificates that were used on the 1.x dovecot of debian squeeze. My three MUAs that worked against the previous 1.x dovecot with the same certificate, now fails in various ways. Any hints and guesses as to how to debug this further will be highly appreciated. Even more appreciated will be a pin point of the issue. :-) Here are the error messages from the MUAs: - Opera 12.15 on Windows 7 just reports: "The connection with the IMAP server was unexpectedly interrupted." - Emacs24(w/linked-in gnutls)/Ma Gnus 0.8 (Gnus git HEAD) on Windows 7 says "imap.mydomain.com certificate could not be verified." - Emacs23/Ma Gnus 0.8 (also Gnus git HEAD) on debian testing (with Emacs23 gnutls-cli is run in a subprocess), says: "Opening connection to imap.mydomain.com via tls... Opening TLS connection to `imap.mydomain.com'... Opening TLS connection with `gnutls-cli --insecure -p 993 imap.mydomain.com'...done Opening TLS connection to `imap.mydomain.com'...done Unable to open server nnimap+privat due to: Process *nnimap* not running" When I try running gnutls-cli from the command line of the debian testing machine (the same gnutls-cli that is used by the emacs23/gnus combo), it seems to connect ok (the transcript of that session is below). The config for the SSL, from /etc/dovecot/conf.d/10-ssl.conf, is: # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ssl = yes # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert = </etc/ssl/certs/imap_mydomain_com.pem ssl_key = </etc/ssl/private/imap_mydomain_com.key The access privileges of the files, are: -rw-r--r-- 1 root root 2077 Mar 27 12:45 /etc/ssl/certs/imap_mydomain_com.pem -rw------- 1 root root 3243 Jul 12 2011 /etc/ssl/private/imap_mydomain_com.key What follows, is the transcript from the gnutls-cli session from a debian testing machine to the server (which seems to be working as far as I can tell...): sb@edwards:~$ gnutls-cli -p 993 rainey.mydomain.com WARNING: gnome-keyring:: couldn't connect to: /home/sb/.cache/keyring-yeEdM3/pkcs11: No such file or directory Resolving 'rainey.mydomain.com'... Connecting to '212.110.185.190:993'... - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1023 bits - Peer's public key: 1023 bits - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=imap.mydomain.com', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=supp...@cacert.org', RSA key 4096 bits, signed using RSA-SHA1, activated `2013-03-27 12:43:30 UTC', expires `2013-09-23 12:43:30 UTC', SHA-1 fingerprint `86f8a501bca1e2b0eadc677bf05b103d298ce247' - The hostname in the certificate does NOT match 'rainey.mydomain.com' sb@edwards:~$ gnutls-cli -p 993 imap.mydomain.com WARNING: gnome-keyring:: couldn't connect to: /home/sb/.cache/keyring-yeEdM3/pkcs11: No such file or directory Resolving 'imap.mydomain.com'... Connecting to '212.110.185.190:993'... - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1022 bits - Peer's public key: 1021 bits - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=imap.mydomain.com', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=supp...@cacert.org', RSA key 4096 bits, signed using RSA-SHA1, activated `2013-03-27 12:43:30 UTC', expires `2013-09-23 12:43:30 UTC', SHA-1 fingerprint `86f8a501bca1e2b0eadc677bf05b103d298ce247' - The hostname in the certificate matches 'imap.mydomain.com'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS1.2 - Key Exchange: DHE-RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed - Simple Client Mode: * OK Waiting for authentication process to respond.. - Peer has closed the GnuTLS connection
