Re: STARTTLS issue with sieve

Wed, 12 Jul 2017 22:26:10 -0700 

Am 08.07.2017 um 23:10 schrieb Heiko Schlittermann:

Andreas Oster <aos...@novanetwork.de> (Fr 07 Jul 2017 08:15:05 CEST):

Hi all,

I am currently struggling with an odd sieve/Pigeonhole issue. Some weeks ago
I had to replace our dovecot certificate due to expiration. In the past I
did use a self-signed certificate, but because we now have a little openssl
based CA I have decided to create signed certificate for imaps. Dovecot is
happily accepting the new certificate which has integrated the whole
cert-chain. Unfortunately Pigeonhole does not seem to like the certificate:


As it seem, Pigeonhole sends you the full cert chain:


*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
  - subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen

- Certificate[2] info:
  - subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen
GmbH,OU=NOVA Root CA,CN=NOVA Root CA', issuer


The last one being the CA used.


SHA-1 fingerprint `95326e3ff12683cc40a85874d562d0a6f15dcb37'
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed


For me it reads as if your client (gnutls-cli) does not trust
the chain your server sent. (The server doesn't care about the chain).


I have checked the certificate with:

openssl verify -verbose -CAfile /etc/ssl/certs/ca-chain.cert.pem
/etc/ssl/certs/mail.novanetwork.local.cert.pem
/etc/ssl/certs/mail.novanetwork.local.cert.pem: OK


How do you know that gnutls-cli uses the same CA file? Try passing the
CA file to gnutls-cli?

The --x509cafile seems to be hardcoded in 
/usr/lib/x86_64-linux-gnu/libgnutls.so.30 (Debian9, amd64)

$ strings /usr/lib/x86_64-linux-gnu/libgnutls.so.30 | grep '/etc/ssl'
/etc/ssl/certs/ca-certificates.crt

So, on my system gnutls-cli seems to use the same CA store
(/etc/ssl/certs) as openssl.

     Best regards from Dresden/Germany
     Viele Grüße aus Dresden
     Heiko Schlittermann


Hi all,
in a posting on the dovecot user list Stephan Bosch pointed out that there is already a fix:
https://github.com/dovecot/pigeonhole/commit /c80aa7c25b0b4e61bb8e3a91864a355f7f2fa89f 

This small change also resolved my sieve login issue.

best regards
Andreas

Reply via email to