On 27.12.2023 22:12, Carlos E. R. wrote:
I am seeing these in the mail log, after a recent update (the machine is using Leap 15.4, but I have seen them in a 15.5 machine too (did not study those)):
<2.6> 2023-12-27T19:48:49.449784+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<7qHpP4INzunAqAIT> <2.6> 2023-12-27T19:48:49.459538+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<aqPpP4INwunAqAIT>
Client that connects to dovecot does not like its certificate.
And Thunderbird can not open some folders.
I have this in my notes from the previous time it happened (in July):
Regenerate certificates. +++.................... cd /etc/dovecot rm /etc/ssl/private/dovecot.pem rm /etc/ssl/private/dovecot.crt bash mkcert.sh time openssl dhparam -out /etc/dovecot/dh.pem 4096
Delete certificate in Thunderbird (settings, search for "cert"), Manage Certificates, Servers tab. Then "Get messages / "cer", authorize cert. ....................++-
"mkcert.sh" is the one from /usr/share/dovecot/, as well as "dovecot-openssl.cnf" (edited, of course).
The certificates are recent:
Telcontar:/etc/dovecot # ls -l /etc/ssl/private/dovecot.* /etc/dovecot/dh.pem -rw-r--r-- 1 root root 769 Jul 2 15:01 /etc/dovecot/dh.pem -rw------- 1 root root 1066 Jul 2 14:41 /etc/ssl/private/dovecot.crt -rw------- 1 root root 912 Jul 2 14:41 /etc/ssl/private/dovecot.pem Telcontar:/etc/dovecot #
So they can't be expired.
The dovecot config is correct, AFAICS:
Telcontar:/etc/dovecot # egrep -v "^[[:space:]]*$|^#" /etc/dovecot/conf.d/10-ssl.conf ssl_dh = </etc/dovecot/dh.pem ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_prefer_server_ciphers = yes ssl_options = no_compression Telcontar:/etc/dovecot #
In Thunderbird, I have deleted the certificate, per my notes. The intention is that Thunderbird will now complain about the certificate, and I can add an exception, but it is not asking. I also restarted TB.
What can I do?
(Google is not helping)
Well, searching for "SSL alert umber 42" or "SSL_accept() failed: error:14094412" brings some quite promising hits, including discussion of this exact problem on dovecot list.