TLS: unable to get certificate ...

Goetz Babin-Ebell goetz at shomitefo.de
Fri Apr 11 16:13:01 EDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

brian schrieb:
| brian wrote:
|> cyrus-imapd-2.3.9-7.fc7
|> openssl-0.9.8b-15.fc7
|>
|> I'm trying (and failing) to set up TLS and hope someone might be able to
|> shed some light on my problem. Authentication failed so I checked
|> maillog and found:
|>
|> imap[30288]: TLS server engine: cannot load CA data
This            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|> imap[30288]: unable to get certificate from
|> '/etc/pki/tls/certs/imapcert.pem'
and this ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Is your first hint.

|> The file imapcert.pem is the self-signed cert created while following
|> Patrick Koetter's SMTP AUTH tutorial[1] As it's easily readable (the
|> cert, though Patrick's tut has been terrificly helpful), I'm wondering
|> if I've made some blunder in creating it.
While you can use self signed certs for server authentication,
generally speaking it is not good to do.
It is better to create a CA certificate and sign your server certificate
with it.

Arg.
I wish people would stop using self signed certificates in their
tutorials.
Creating a CA and using it to sign the certificates are
just two to  three steps more and it gives people a hint how
to set up things correctly...

| I've just noticed that i neglected to add the client part of the test. I
| repeated it and paste here:
|
| # openssl s_server -cert /etc/pki/tls/certs/imapcert.pem -key
| /etc/pki/tls/certs/imapkey.pem
|
| [from 2nd terminal]
| # sudo netstat -ntpl | grep :4433
| tcp  0  0  :::4433  :::*  LISTEN  7737/openssl
|
| # openssl s_client -connect localhost:4433 -CApath /etc/pki/CA -CAfile
| /etc/pki/CA/cacert.pem
While you can use self signed certificates for server authentication,
you can not use self signed certificates for client authentication.
(besides: you didn't tell the server to do client authentication...)
Additionally:
On your server you have a self signed cert and now you tell your
client to verify it against CA certificates given here ?

| [abbreviated output follows]
|
| CONNECTED(00000003)
| depth=1 /C=CA/ST=Ontario/O=zijn
| digital/OU=server/CN=MYDOMAIN/emailAddress=root at MYDOMAIN
| verify return:1
| depth=0 /C=CA/ST=Ontario/L=Stratford/O=zijn
| digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster at MYDOMAIN
| verify return:1
| ---
| Certificate chain
|   0 s:/C=CA/ST=Ontario/L=Stratford/O=zijn
| digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster at MYDOMAIN
|     i:/C=CA/ST=Ontario/O=zijn
| digital/OU=server/CN=MYDOMAIN/emailAddress=root at MYDOMAIN
OK, this is NOT a self signed certificate.

| ---
| Server certificate
| -----BEGIN CERTIFICATE-----
| ...
| -----END CERTIFICATE-----
| subject=/C=CA/ST=Ontario/L=Stratford/O=zijn
| digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster at MYDOMAIN
| issuer=/C=CA/ST=Ontario/O=zijn
| digital/OU=server/CN=MYDOMAIN/emailAddress=root at MYDOMAIN
| ---
| No client certificate CA names sent
~  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You want to do client authentication, but you didn't tell
your server which CAs you accept for signing them ?

It is obvious that you don't know what you are doing.
If you would tell us what you want to do,
we might be able to tell you what you should do.

Goetz

- --
DMCA: The greed of the few outweights the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH/8ZN2iGqZUF3qPYRArguAJ9B63sIC8rW3g5TQ9vKQ4mOUogNFACfYN/s
2KS4gtuJf+IBQTp4HxZCR20=
=5tB7
-----END PGP SIGNATURE-----


More information about the Info-cyrus mailing list