On 2023-12-27 21:00, Andrei Borzenkov wrote:
On 27.12.2023 22:12, Carlos E. R. wrote:
I am seeing these in the mail log, after a recent update (the machine is using Leap 15.4, but I have seen them in a 15.5 machine too (did not study those)):
<2.6> 2023-12-27T19:48:49.449784+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<7qHpP4INzunAqAIT> <2.6> 2023-12-27T19:48:49.459538+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<aqPpP4INwunAqAIT>
Client that connects to dovecot does not like its certificate.
And Thunderbird can not open some folders. >
I have this in my notes from the previous time it happened (in July):
Regenerate certificates. +++.................... cd /etc/dovecot rm /etc/ssl/private/dovecot.pem rm /etc/ssl/private/dovecot.crt bash mkcert.sh time openssl dhparam -out /etc/dovecot/dh.pem 4096
Delete certificate in Thunderbird (settings, search for "cert"), Manage Certificates, Servers tab. Then "Get messages / "cer", authorize cert. ....................++-
"mkcert.sh" is the one from /usr/share/dovecot/, as well as "dovecot-openssl.cnf" (edited, of course).
The certificates are recent:
Telcontar:/etc/dovecot # ls -l /etc/ssl/private/dovecot.* /etc/dovecot/dh.pem -rw-r--r-- 1 root root 769 Jul 2 15:01 /etc/dovecot/dh.pem -rw------- 1 root root 1066 Jul 2 14:41 /etc/ssl/private/dovecot.crt -rw------- 1 root root 912 Jul 2 14:41 /etc/ssl/private/dovecot.pem Telcontar:/etc/dovecot #
So they can't be expired.
The dovecot config is correct, AFAICS:
Telcontar:/etc/dovecot # egrep -v "^[[:space:]]*$|^#" /etc/dovecot/conf.d/10-ssl.conf ssl_dh = </etc/dovecot/dh.pem ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_prefer_server_ciphers = yes ssl_options = no_compression Telcontar:/etc/dovecot #
In Thunderbird, I have deleted the certificate, per my notes. The intention is that Thunderbird will now complain about the certificate, and I can add an exception, but it is not asking. I also restarted TB.
What can I do?
(Google is not helping)
Well, searching for "SSL alert umber 42" or "SSL_accept() failed: error:14094412" brings some quite promising hits, including discussion of this exact problem on dovecot list.
I had seen that thread back i July, but back then I did not read it complete, it worked before doing that. Problem is, TB does not ask to create an exception. Currently, I have TB working by NOT using connection security. Post <https://dovecot.org/list/dovecot/2022-September/125357.html> says to use extension "Subject Alt Names". Next post (<https://dovecot.org/list/dovecot/2022-September/125383.html>) says to: Practically this means you need to make sure that if you use self-signed or internal CA certificates you include subjectAlternativeName otherwise they won't work with some client software. If you use public CA-signed certs you typically don't need to do this yourself because the CA adds SAN if missing from the CSR (their only other option is to reject issuance). I don't know what that means. Ie, I don't know what to add to dovecot-openssl.cnf, if that is what I have to do (and assuming if it is /etc/ssl/private/dovecot.* they are talking about. If it is "/etc/dovecot/dh.pem", I have no idea at all. Also, I have no idea how to extend the validity of the certificate to be "forever", not just two years. [...] Oh, yes, I do, but I forgot. I had edited mkcert.sh: #$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG \ # -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 #CER 20230602 $OPENSSL req -new -x509 -nodes -days 3650 -config $OPENSSLCONFIG \ -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 Seems I missed the second "365". Ah, another post clarifies: CN = example.com SAN.1 = example.com SAN.2 = www.example.com or CN = www.example.com SAN.1 = www.example.com SAN.2 = example.com Post <https://dovecot.org/list/dovecot/2022-September/125358.html> says: +++·······················
cert had an invalid/incorrect hostname
fyi, https://kb.mozillazine.org/Files_and_folders_in_the_profile_-_Thunderbird ... cert_override.txt This is an optional file used to store a security exception. It appears to store the host name , thus preventing you from creating a security exception for a rotating SMTP server. ... for ref, Firefox: How to audit & reset the list of trusted servers/CAs https://access.redhat.com/solutions/1549043 ·······················++- Well, it is not true in my case, file "cert_override.txt" doesn't contain any reference to my computer, because it was deleted, as I said in my first post. Ok, trying to create new certificates: Telcontar:/etc/dovecot # time bash ./mkcert.sh Generating a RSA private key ...............+++++ ........+++++ writing new private key to '/etc/ssl/private/dovecot.pem' ----- problems making Certificate Request 140165362526016:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:crypto/asn1/a_object.c:73: 140165362526016:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:crypto/x509/x509name.c:252:name=SAN real 0m0.012s user 0m0.012s sys 0m0.000s Telcontar:/etc/dovecot # It doesn't like that "SAN" thing. Blocked again. # Common Name (*.example.com is also possible) #CN=imap.example.com CN=telcontar.valinor SAN=telcontar.valinor -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)