sslcacertfile troubleshooting :)
SamLT
sam at sltosis.org
Wed Jan 18 11:00:32 GMT 2012
On Wed, Jan 18, 2012 at 08:13:49AM +0200, Daniel Shahaf wrote:
> SamLT wrote on Tue, Jan 17, 2012 at 22:41:22 +0100:
> > 2) Even though I generate the sslcacertfile as described in the FAQ[1],
> > I still got the warning(and thus no sync) for an other IMAP server, what
> > can be wrong? What information do you need to help me with this one?
> >
>
> Try something such as the following, to check the cert file:
>
> % openssl s_client -CAfile $sslcacertfile -connect ${hostname}:imaps 2>&1 </dev/null | grep -i verify
> verify return:1
> verify return:1
> verify return:1
> Verify return code: 0 (ok)
> %
>
Thanks for your answer,
Here is the full output with the domain changed(I know there's nothing
private here, and the domain can be extracted from the certificate but
it just felt weird sending it in clear text :S )
| $ openssl s_client -CAfile slt/conf/certs/mail.mydomain.eu.cert -connect mail.mydomain.eu:imaps 2>&1 </dev/null
| depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
| verify return:1
| depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware
| verify return:1
| depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = PositiveSSL CA
| verify return:1
| depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.mydomain.eu
| verify return:1
| CONNECTED(00000006)
| ---
| Certificate chain
| 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.mydomain.eu
| i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
| 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
| i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
| 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
| i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
| ---
| Server certificate
| -----BEGIN CERTIFICATE-----
| MIIFKTCCBBGgAwIBAgIRAPcbUa73q7/31WFec3ixseMwDQYJKoZIhvcNAQEFBQAw
| cTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
| A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ29tb2RvIENBIExpbWl0ZWQxFzAVBgNV
| BAMTDlBvc2l0aXZlU1NMIENBMB4XDTExMTEyMDAwMDAwMFoXDTEyMTIxNDIzNTk1
| OVowVTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRQwEgYDVQQL
| EwtQb3NpdGl2ZVNTTDEaMBgGA1UEAxMRbWFpbC5pbnRlbHVuaXguZnIwggEiMA0G
| CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdS2TjsD2CL9FmhWO59GS1zq/mbw5T
| W34Sg5iEqk1C/KRjvXXL+gZTltmH9Qw2xIYLJaJwLv94HHiiugsLhLyD7zhWRVG9
| 26xwACABzMEZ5UjoD+8j0czuoibWT90mIjl2ViKntsH/xpI3gACFO0z2mG9Sbhpa
| lonkPAujsPIFaL50FSHD9Fj7glHuaxlr0pFGMDnfUijUzvplo+z/CAwxhMvAGfc+
| 1gAG/cEosqxd9WQgt6RhOGCbu69sxwqyF4bLaiB7gK5t8tk+n1LxPNTZUf/ZgGGD
| 9gpB5o3F/ZVOmaeoGcCU/o1RCGiD6YjRP7GYhLtiJV0LuSeDvnDvqKV7AgMBAAGj
| ggHWMIIB0jAfBgNVHSMEGDAWgBS4yhHpBjF528OUxugZKry7NRYxpDAdBgNVHQ4E
| FgQUdnEtu7FjiUu//8Q1A2ThIIGAfw4wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
| /wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEYGA1UdIAQ/MD0w
| OwYLKwYBBAGyMQECAgcwLDAqBggrBgEFBQcCARYeaHR0cDovL3d3dy5wb3NpdGl2
| ZXNzbC5jb20vQ1BTMGkGA1UdHwRiMGAwL6AtoCuGKWh0dHA6Ly9jcmwuY29tb2Rv
| Y2EuY29tL1Bvc2l0aXZlU1NMQ0EuY3JsMC2gK6AphidodHRwOi8vY3JsLmNvbW9k
| by5uZXQvUG9zaXRpdmVTU0xDQS5jcmwwawYIKwYBBQUHAQEEXzBdMDUGCCsGAQUF
| BzAChilodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9Qb3NpdGl2ZVNTTENBLmNydDAk
| BggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMDMGA1UdEQQsMCqC
| EW1haWwuaW50ZWx1bml4LmZyghV3d3cubWFpbC5pbnRlbHVuaXguZnIwDQYJKoZI
| hvcNAQEFBQADggEBAJi694JSFG5IyTVRpYJF+a9+0rY2ErVJxKtcCQfDszbHZw2R
| yoE4mWGTPxkxBaTM/ugyJqo+jzZtseqlaVEwYqwfv7Z/3qTFH0Nz2EvDynZg7eyb
| Qszh69vC3SOs+Z4W0FW+rlFPgKY2hqPzjGpISjyuHkHy3sue5ewMmRFibQ98iFbt
| BRg+ol4M3gwlQQmT13HBFL+4BqC7tl+0S59Zz38GNO2B2pAfBUl+CzH+y1ie8pMu
| 8RopHggZ8xKNN+uxrDuiYUbl1al1JNqIsMnX8hLovxjq8DBoGhkSSMuORFogf9Qu
| OdNxWFuH010nibQyxhs7dijDzDMq1eEjCK+LZAw=
| -----END CERTIFICATE-----
| subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.mydomain.eu
| issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
| ---
| No client certificate CA names sent
| ---
| SSL handshake has read 3974 bytes and written 495 bytes
| ---
| New, TLSv1/SSLv3, Cipher is AES256-SHA
| Server public key is 2048 bit
| Secure Renegotiation IS NOT supported
| Compression: zlib compression
| Expansion: zlib compression
| SSL-Session:
| Protocol : SSLv3
| Cipher : AES256-SHA
| Session-ID: AF89B46785C1047A9156D55F982EEA29698933D5B8BDA3BEED7168A6DAB56C0C
| Session-ID-ctx:
| Master-Key: 0F92CD5AFC672FAB6FC2A29E2972A8252DFF8C1C99DB0AB88508F048C00D5053F6D98C59CB6DA1BF619D6844837223D2
| Key-Arg : None
| PSK identity: None
| PSK identity hint: None
| Compression: 1 (zlib compression)
| Start Time: 1326882886
| Timeout : 7200 (sec)
| Verify return code: 0 (ok)
| ---
| DONE
The last line seems to indicate it's ok, but it's not:
| gnutls-cli --x509cafile slt/conf/certs/mail.mydomain.eu.cert -p 993 mail.mydomain.eu
| Processed 3 CA certificate(s).
| Resolving 'mail.mydomain.eu'...
| Connecting to '56.159.87.64:993'...
| *** Verifying server certificate failed...
| *** Fatal error: Error in the certificate.
| *** Handshake has failed
| GnuTLS error: Error in the certificate
I have to add the --insecure option to connect successfully
This seems clear the certificate is faulty, but it's chained
certificates, how do I know which ones is wrong? And why it is wrong?
(none of them are expired).
Ok, this doesn't really belong to offlineimap ML anymore, but that kind
of information may be usefull to other, so feel free to point me to the
right direction.
As a side note, the documentation could suggest using gnutls used
instead of openssl to generate the sslcacertfile, since 1) s_client
doesn't support IPv6, 2) gnutls is more fashion?! (and 3) the one-liner
is somewhat simpler)
| gnutls-cli --print-cert -p imaps ${host} </dev/null | sed -n \
| '/^-----BEGIN CERT/,/^-----END CERT/p' > $sslcacertfile
> (If you post the output, post the full output, without 'grep' filtering)
>
> If the server uses STARTTLS, pass the -starttls option and the 'imap' port.
>
> >
> > Thanks for bringing back OLI development back to life:)
> >
> > [1] ->
> > http://docs.offlineimap.org/en/latest/FAQ.html#how-do-i-generate-an-sslcacertfile-file
> >
> > _______________________________________________
> > OfflineIMAP-project mailing list
> > OfflineIMAP-project at lists.alioth.debian.org
> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/offlineimap-project
> >
> > OfflineIMAP homepage: http://software.complete.org/offlineimap
>
> _______________________________________________
> OfflineIMAP-project mailing list
> OfflineIMAP-project at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/offlineimap-project
>
> OfflineIMAP homepage: http://software.complete.org/offlineimap
More information about the OfflineIMAP-project
mailing list