TLS: unable to get certificate ...

Goetz Babin-Ebell goetz at shomitefo.de
Sat Apr 12 09:11:23 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

brian schrieb:
| Goetz Babin-Ebell wrote:
|> brian schrieb:
|> | brian wrote:

|> |> I'm trying (and failing) to set up TLS and hope someone might be
able to
|> |> shed some light on my problem. Authentication failed so I checked
|> |> maillog and found:
|> |>
|> |> imap[30288]: TLS server engine: cannot load CA data
|> This            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Looking in the last source I have here (2.3.8), I'm definitively not
happy about the code that generates that message:
* If you don't do SSL client authentication, this message
~  is only confusing noise.
* If you do SSL client authentication this message is not an
~  info but an error and should be logged as one.
I opened a ticket and sent a patch in 2005.
Unfortunately it wasn't accepted (at least the last time I checked...)

|> |> imap[30288]: unable to get certificate from
|> |> '/etc/pki/tls/certs/imapcert.pem'
|> and this ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|> Is your first hint.
|
| Yes, it was the first thing I noticed too. However, the fact that that
| file was easily readable confused me as to what the problem actually
| was. I thought that perhaps the file, while readable, contained garbage.

There is a big difference between CA certificates and
end entity (server) certificates.
Here cyrus tried to load a CA certificate,
but imapcert.pem contains only the server certificate.

OK, I was wrong:
these two error lines are unrelated.
The second failing because the first failed may be an result
of cyrus not clearing the OpenSSL error stack between
the two lines.

Any developer listening ?
calling ERR_clear_error(); on entering set_cert_stuff() (tls.c)
should fix this...
(If you're building cyrus from source,
~ you could insert that line and try again)

|> I wish people would stop using self signed certificates in their
|> tutorials.
|> Creating a CA and using it to sign the certificates are
|> just two to  three steps more and it gives people a hint how
|> to set up things correctly...
|
| Maybe I've got the terminology wrong then. By "self-signed" I mean that
| I did create my own CA, then created and signed a cert with that.
|
|    # CA_nodes -newca
|    # CA_nodes -newreq
|    # CA_nodes -sign

A self signed certificate is a certificate that is signed by the
same key that is in the certificate.

What you have created is a normal certificate that
was signed by a local CA.

| I'm not aware of any other kind of "self-signed" certificate. I thought
| it was either signed by Thawte, etc. or by one's own CA.

... or signed by the same key that is in the certificate
~ (signed by itself)

|> | [abbreviated output follows]
|> |
|> | CONNECTED(00000003)
|> | depth=1 /C=CA/ST=Ontario/O=zijn
|> | digital/OU=server/CN=MYDOMAIN/emailAddress=root at MYDOMAIN
|> | verify return:1
|> | depth=0 /C=CA/ST=Ontario/L=Stratford/O=zijn
|> | digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster at MYDOMAIN
|> | verify return:1
|> | ---
|> | Certificate chain
|> |   0 s:/C=CA/ST=Ontario/L=Stratford/O=zijn
|> | digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster at MYDOMAIN
|> |     i:/C=CA/ST=Ontario/O=zijn
|> | digital/OU=server/CN=MYDOMAIN/emailAddress=root at MYDOMAIN
|> OK, this is NOT a self signed certificate.
|>
| What tells you that?

In a self signed certificate issuer and subject name are identical.

|> It is obvious that you don't know what you are doing.
|
| Sure, that's why I've emailed this list looking for help. While I seem
| to have fixed the problem (see below) there are aspects of this that are
| more than a little bit hazy. I'd like to understand this a lot better.
|
|> If you would tell us what you want to do,
|> we might be able to tell you what you should do.
|>
|
| OK, I'll start again from the beginning: I wish to incorporate TLS
| support into Postfix/Cyrus-IMAP. I don't feel that a signed cert from
| Thawte, etc. is necessary, as I'm not expecting to have any strangers
| with accounts on this machine. Thus, I followed Patrick's tutorial in
| which he explains how to create one's own CA and use that to sign a
| certificate.

If you have configured CA certificates in cyrus you might drop
them and try again.
The loading of the server cert seemed to fail because just
bevore it the loading of the CA data failed.
(seems to be a bug in cyrus)

| I was under the impression that *that* was a self-signed certificate.
Nope.
It is a certificate signed by a local CA.

| The only thing I wanted to do with s_server was see if it would complain
| about imapcert.pem being unusable because the msg in maillog led me to
| believe that that was the problem.
|
| This seems to have been resolved by copying cacert.pem to a directory
| readable by the mail group. Apparently, imapcert.pem is, in fact, ok.
At least that seems to be.

BTW:

If you have your server certificate directly signed by your
root (CA) certificate and you do not want to use client authentication,
you can configure cyrus imapd to not use any CA certificates at all:

The client needs to know the root certificate anyway to determine if
it may trust it, so you gain nothing by transmitting it in SSL handshake...


Goetz

- --
DMCA: The greed of the few outweights the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIALT72iGqZUF3qPYRAsJ+AJ9DB12o5e4D6NJjESHbz3Ry2cTQXgCfU9FV
HeCL/IG/Q3Dj/7t+rjvY4kY=
=plgr
-----END PGP SIGNATURE-----

More information about the Info-cyrus mailing list