On Oct 9, 2013, at 6:33 PM, Noel Butler wrote:
> On 10/10/2013 06:09, Eliezer Croitoru wrote:
>
>> I would imaging that 4k bits certificate handshake and validation can
>> take more then 1 sec..
>> Am I right about it?
>
> hardly
>
> and the size is not his problem.
>
> he was given a test account on my network when I last saw this thread (few
> weeks back?), that uses startssl, and 4096 certs, his mail.app connected fine.
I would like to investigate that more if you like. Others have experienced
problem connected to my test server. I can't believe I've created a
non-functional Dovecot configuration.
One avenue I will purse: if I swap from 4096 to 2048, why does it work?
Here is a connection with a 4096 cert:
$ openssl s_ s_client -connect imaps.unixathome.org:993
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel
Langille/CN=imaps.unixathome.org/emailAddress=postmas...@unixathome.org
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
Class 2 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
Class 2 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
Certification Authority
2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
Certification Authority
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
Certification Authority
---
Here is it with a 2048 cert:
$ openssl s_client -connect imaps.unixathome.org:993
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/description=3Hs89se3p9RsmJBG/C=US/ST=Pennsylvania/L=Media/O=Daniel
Langille/CN=test1.langille.org/emailAddress=postmas...@langille.org
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
Class 2 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
Class 2 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
Certification Authority
2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
Certification Authority
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
Certification Authority
The only thing I change in the configuration is:
# MY KEYS
#ssl_cert = </usr/local/etc/ssl/dovecot.pem
#ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key
# My 2048 key
ssl_cert = </usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert
ssl_key = </usr/local/etc/ssl/2048/test1.langille.org.nopassword.key
Current configuration is:
# doveconf -n
# 2.2.6: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 9.1-RELEASE-p6 amd64
auth_debug = yes
auth_verbose = yes
first_valid_gid = 1001
first_valid_uid = 1001
mail_debug = yes
mail_location = maildir:~/Maildir
mail_privileged_group = mail
passdb {
args = scheme=SHA512-CRYPT /var/db/dovecot.users
driver = passwd-file
}
protocols = imap
service imap-login {
inet_listener imap {
address = 199.233.228.197
}
inet_listener imaps {
address = 199.233.228.197
}
}
ssl_ca = </usr/local/etc/ssl/sub.class2.server.ca.pem
ssl_cert = </usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert
ssl_key = </usr/local/etc/ssl/2048/test1.langille.org.nopassword.key
userdb {
args = /var/db/dovecot.users
driver = passwd-file
}
verbose_proctitle = yes
--
Dan Langille - http://langille.org
