Cyrus 2.2.12 / TLS problems (SSL working) / Thunderbird - kontact

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I've got since 1 or 2 month problems with TLS connection to my cyrus
server in IMAP. I will try to explain the configuration and the problem.

First of all, here is my cyrus.conf and imapd.conf :

/ETC/CYRUS.CONF :

START {
  recover       cmd="ctl_cyrusdb -r"
}
SERVICES {
  imap          cmd="imapd -p 2 -s -U 1 -T 60" listen="143" prefork=8
  imaps         cmd="imapd -p 2 -s -U 1 -T 60" listen="993" prefork=1
  cyradm        cmd="imapd -p 0 -U 1 -T 60" listen="8143" prefork=1
  sieve         cmd="timsieved" listen="127.0.0.1:2000" prefork=0
  lmtpunix      cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
}

EVENTS {
  checkpoint    cmd="ctl_cyrusdb -c" period=30
  delprune      cmd="ctl_deliver -E 3" period=1440
  tlsprune      cmd="tls_prune" period=1440
}

/ETC/IMAPD.CONF

configdirectory:        /var/imap
partition-default:      /var/spool/imap
sievedir:               /var/imap/sieve

tls_ca_file:            /etc/ssl/certs/XXXX.pem
tls_cert_file:          /etc/cyrus/imap.crt
tls_key_file:           /etc/cyrus/imap.key

admins:                 cyrus@xxxxxxxx
hashimapspool:          yes
allowanonymouslogin:    no
allowplaintext:         yes
allowusermoves:         no
sieveusehomedir:        no
defaultdomain:          XXXX.loc
virtdomains:            yes
sasl_pwcheck_method:    saslauthd
sasl_mech_list:         PLAIN LOGIN
sasl_minimum_layer:     0

As you can see, I have a little CA, so I put the CA root certificate,
and the imap.crt is signed by XXXX.pem.

The server run a Gentoo 2006.0 installation with the following version
of cyrus-imapd and openssl :

[ebuild   R   ] net-mail/cyrus-imapd-2.2.12
[ebuild   R   ] dev-libs/openssl-0.9.7i  

Here is the result of the imtest in TLS (-s on the port 143) :

imtest -p 143 -s -a XXXX@xxxxxxxx 127.0.0.1
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
S: * OK smtp Cyrus IMAP4 v2.2.12-Gentoo server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMO
RE IDLE AUTH=LOGIN AUTH=PLAIN SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE LOGIN
S: + VXNlcm5hbWU6
Please enter your password:
C: b3ViYUBvdWJhLm9yZw==
S: + UGFzc3dvcmQ6
C: bGdXM2l2e1s=
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.

With the log :

==> notice.log <==
Jul  5 14:01:07 smtp imap[27666]: starttls: TLSv1 with cipher AES256-SHA
(256/256 bits new) no authentication
Jul  5 14:01:10 smtp imap[27666]: login: localhost [127.0.0.1]
XXXX@xxxxxxxx LOGIN+TLS User logged in

And also the result of the imtest in SSL (-s on the port 993) :

imtest -p 993 -s -a XXXX@xxxxxxxx 127.0.0.1
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
S: * OK smtp Cyrus IMAP4 v2.2.12-Gentoo server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMO
RE IDLE AUTH=LOGIN AUTH=PLAIN SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE LOGIN
S: + VXNlcm5hbWU6
Please enter your password:
C: b3ViYUBvdWJhLm9yZw==
S: + UGFzc3dvcmQ6
C: bGdXM2l2e1s=
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
. LOGOUT
* BYE LOGOUT received
. OK Completed
Connection closed.

With the log :

==> notice.log <==
Jul  5 14:02:08 smtp imap[27665]: starttls: TLSv1 with cipher AES256-SHA
(256/256 bits new) no authentication
Jul  5 14:02:11 smtp imap[27665]: login: localhost [127.0.0.1]
XXXX@xxxxxxxx LOGIN+TLS User logged in

The same thing with the s_client of openssl :


penssl s_client -host 127.0.0.1 -port 143 -tls1
CONNECTED(00000003)
depth=1 /C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0
s:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=imap.XXXX.XXX/emailAddress=XXXX@xxxxxxxx
   i:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
 1 s:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
   i:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
---
Server certificate
-----BEGIN CERTIFICATE-----
<...snip...>
-----END CERTIFICATE-----
subject=/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=imap.XXXX.XXX/emailAddress=XXXX@xxxxxxxx
issuer=/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
---
No client certificate CA names sent
---
SSL handshake has read 2058 bytes and written 300 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID:
CA9CCA52A78CCF48A2947BC93ADCCA46D886F571E6349AED3BBE5A49ABD1BC73
    Session-ID-ctx:
    Master-Key:
EEF680291C80759D9C511FD0EA081E9F198157113BC1FF845B262B7F4CBE97E6D985671CC32F9D2DF1D106A125DE4FBB
    Key-Arg   : None
    Start Time: 1152101081
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
* OK smtp Cyrus IMAP4 v2.2.12-Gentoo server ready
. LOGOUT
* BYE LOGOUT received
. OK Completed
read:errno=0

And in SSL :

openssl s_client -host 127.0.0.1 -port 993 -ssl3
CONNECTED(00000003)
depth=1 /C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0
s:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=imap.XXXX.XXX/emailAddress=XXXX@xxxxxxxx
   i:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
 1 s:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
   i:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
---
Server certificate
-----BEGIN CERTIFICATE-----
<...snip...>
-----END CERTIFICATE-----
subject=/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=imap.XXXX.XXX/emailAddress=XXXX@xxxxxxxx
issuer=/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 314 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES256-SHA
    Session-ID:
DF383DECC1677110482A1FEA576EB9D52EBE1E2124DD5C871C1B192F7B6FE000
    Session-ID-ctx:
    Master-Key:
9C92EA25D229A8847795511A83D3790E6CDDC8E7AA4B97A9DF964D4DDA054104CD93E1C852F7D0B848B3CE647F177CAA
    Key-Arg   : None
    Start Time: 1152101127
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
* OK smtp Cyrus IMAP4 v2.2.12-Gentoo server ready
. LOGOUT
* BYE LOGOUT received
. OK Completed
read:errno=0

With the two lines of log (I didn't authenticate mysel) :

Jul  5 14:04:41 smtp imap[27742]: starttls: TLSv1 with cipher AES256-SHA
(256/256 bits new) no authentication
Jul  5 14:05:27 smtp imaps[28081]: starttls: SSLv3 with cipher
AES256-SHA (256/256 bits new) no authentication


So, it seems eveything works fine, now try to connect with thunderbird
with a fresh new profile :

If I choose SSL onto port 993 :

Jul  5 14:09:03 smtp imaps[28175]: starttls: TLSv1 with cipher
AES256-SHA (256/256 bits new) no authentication
Jul  5 14:09:09 smtp imaps[28175]: login:
4be54-5-82-244-105-30.fbx.proxad.net [82.244.105.30] XXXX@xxxxxxxx
plain+TLS User logged in

But if I switch to TLS on port 143, after a while (about 2 or 3 minutes) :

==> err.log <==
Jul  5 14:11:05 smtp imap[27757]: Fatal error: tls_start_servertls() failed
 
==> notice.log <==
Jul  5 14:11:05 smtp imap[27757]: imaps TLS negotiation failed:
4be54-5-82-244-105-30.fbx.proxad.net [82.244.105.30]

If I do a SSLDUMP session in TLS on port 143, I only got :

ssldump \( port 993 or port 143 \) and host www.ouba.org
New TCP connection #1: XXXX.XXXX.XXX(35964) <-> smtp.ouba.org(143)

It seems to not even try to negotiate something

But in SSL on port 993 :

ssldump \( port 993 or port 143 \) and host XXX.XXXX.XXX
New TCP connection #1: XXXX.XXXX.XXX(32799) <-> XXXX.XXXX.XXX(993)
1 1  0.0555 (0.0555)  C>S SSLv2 compatible client hello
  Version 3.1
  cipher suites
  SSL2_CK_RC4
  SSL2_CK_RC2
  SSL2_CK_3DES
  SSL2_CK_DES
  SSL2_CK_RC4_EXPORT40
  SSL2_CK_RC2_EXPORT40
  Unknown value 0x39
  Unknown value 0x38
  Unknown value 0x35
  Unknown value 0x33
  Unknown value 0x32
  TLS_RSA_WITH_RC4_128_MD5
  TLS_RSA_WITH_RC4_128_SHA
  Unknown value 0x2f
  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  Unknown value 0xfeff
  TLS_RSA_WITH_3DES_EDE_CBC_SHA
  TLS_DHE_RSA_WITH_DES_CBC_SHA
  TLS_DHE_DSS_WITH_DES_CBC_SHA
  Unknown value 0xfefe
  TLS_RSA_WITH_DES_CBC_SHA
  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
  TLS_RSA_EXPORT_WITH_RC4_40_MD5
  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
1 2  0.1763 (0.1208)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          58 5d aa 2a 1a dd 12 9d 98 d6 be e0 56 8b 75 a3
          95 70 c3 8b 96 7b 90 de 9c 5c 75 68 f1 ef 6d d2
        cipherSuite         Unknown value 0x35
        compressionMethod                   NULL
1 3  0.1813 (0.0049)  S>C  Handshake
      Certificate
1 4  0.1813 (0.0000)  S>C  Handshake
      ServerHelloDone
1 5  4.1021 (3.9208)  C>S  Handshake
      ClientKeyExchange
1 6  4.1021 (0.0000)  C>S  ChangeCipherSpec
1 7  4.1021 (0.0000)  C>S  Handshake
1 8  4.1753 (0.0731)  S>C  ChangeCipherSpec
1 9  4.1753 (0.0000)  S>C  Handshake
1 10 4.2324 (0.0571)  S>C  application_data
1 11 4.2360 (0.0036)  C>S  application_data
1 12 4.2965 (0.0604)  S>C  application_data

Do you think the problems come from Thunderbird or from Cyrus.
Thunderbird use to works well in TLS, I've got the same problem with
Kontact. I don't try with another client, if I have the time, I wil
l have a test with Outlook Express, Outlook and Opera.

Thanks for you help if possible.

Best regards

Denis Sacchet

----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux