Re: [Dovecot] SSL with startssl.com certificates

Wed, 09 Oct 2013 13:10:36 -0700 

On 10/09/2013 10:55 PM, Reindl Harald wrote:



Am 09.10.2013 21:45, schrieb Eliezer Croitoru:

On 10/09/2013 10:31 PM, Reindl Harald wrote:



Am 09.10.2013 21:27, schrieb Eliezer Croitoru:

On 09/13/2013 02:59 PM, Dan Langille wrote:


*** /var/log/maillog ***
Sep 13 11:50:46 imaps dovecot: imap-login: Warning: SSL failed:
where=0x2002: SSLv3 read client certificate A [166.137.84.11]
Sep 13 11:50:46 imaps dovecot: imap-login: Disconnected (no auth
attempts in 1 secs): user=<>, rip=166.137.84.11, lip=199.233.228.197,
TLS handshaking: Disconnected, session=<a7AJd0LmWwCmiVQL>

How about tring to use a username to identify the user??
it is very clear that there is nothing that the client tries to do...


it is much more clear that there is no username if the client
refuses the SSL handshake because it does not like the cert
or the offered ssl-ciphers

user=<> is pretty normal in a lot of cases

* ssl cert not accepted and not allowed by the user in case of untrusted
* no cipher the client accpets
* no auth-mech the client accepts offered by the server

so how do *you* imagine to see a username in the log?


I expect that StarSSL will put a good configuration examples for Apache Postfix 
Dovecot Exim nginx and more..


not their job and not part of the problem

* your client accepts a certificate
* your client does not accept your certificate

in case it does not *you* as enduser have to accept/import the servers cert

http://stackoverflow.com/questions/10879370/startssl-class-1-certificate-not-accepted-by-browser-weblogic-10-0-1
http://www.startssl.com/?app=25#31

if someone does not know what a "intermediate CA" he needs to RTFM or *read*
messages of his client or buy by all major clients acepted certificates

but that all has less to do with your blunty "it is very clear that there is 
nothing that
the client tries to do" showing that you have zero expierience how a client 
handshake
works -> it does not send usernames or even passwords until it is not satisfied
with the negotiation of auth-mechs and ssl-handshake


I Would try to use StartSSL with squid and I will see if the docs in 
squid ssl-bump explains the subject in a way I can understand.
As Dan explained his major problem is with specific encryption cypher in 
a very specific size..
I would imaging that 4k bits certificate handshake and validation can 
take more then 1 sec..

Am I right about it?

Thanks,
Eliezer
























					Reply via email to