-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2023-12-27 at 20:12 +0100, Carlos E. R. wrote:
I am seeing these in the mail log, after a recent update (the machine is using Leap 15.4, but I have seen them in a 15.5 machine too (did not study those)):
<2.6> 2023-12-27T19:48:49.449784+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<7qHpP4INzunAqAIT>
There is something I didn't realize in the message above: user=<>, rip=192.168.2.19, lip=192.168.1.14 192.168.1.14 is this machine, telcontar. Now, 192.168.2.19? That's my DHCP range, it is actually my laptop machine, which has configured Telcontar as an account it can access. So, the log entries pertain to another machine, another Thunderbird! If in the laptop I disable the connection security (set to none), then the laptop Thunderbird complains that Telcontar:imap doesn't suppport this authentication setting (none). THAT is the reason I need a certificate for dovecot in a LAN with a faked domain. The log entry appears instantly in Telcontar when I try to read an email from the laptop. But the stupid Thunderbird doesn't ask about setting an exception or anything! :-/ Maybe I could set the exception manually in cert_override.txt, but the file says: # PSM Certificate Override Settings file # This is a generated file! Do not edit. ... nimrodel.valinor:993: OID.2.16.840.1.101.3.4.2.1 E3:15:18:84:2E:F0:04:BE:29:E2:EC:13:E6:AD:F7:31:C5:4F:59:F1:D6:E8:EB:67:ED:DD:D6:E6:2D:3C:2E:1E Besides the "do not edit" notice, I have no idea about how to find out what to write there, besides the host and port. [...] Found something, but it is not that simple... <https://udn.realityripple.com/docs/Archive/Misc_top_level/Cert_override.txt> <https://groups.google.com/g/mozilla.dev.security/c/wTUr2YNgzyQ> and <https://github.com/Osmose/firefox-cert-override> Another idea would be to create my own certificate authority first, then the certificates. No idea how to go about that. But it seems that there are many people with this problem. Even FF/TB devs. - -- Cheers, Carlos E. R. (from openSUSE 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZY42XRwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVO3AAnj/1dbmlqteokXebo08M YfSOwc7IAJwPcdtDU3UOw5Ha7+moq4I/jQ//xQ== =wUkd -----END PGP SIGNATURE-----