Join the revolution - StartCom Linux  
Join the revolution - StartCom Linux

Official StartCom Public User Forum

 FAQ FAQ   View the advanced search options Advanced search   Members Members   Groups Groups  Register Register 
 User Control Panel User Control Panel       Login Login 
 


Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: [solved]Thunderbird 3.1.2 ca untrusted?
PostPosted: Thu Sep 16, 2010 8:58 pm 
Offline

Joined: Thu Sep 16, 2010 8:50 pm
Posts: 6
Hello,
I've created a certificate (startssl) for my mailserver.
I installed it on courier-imap on OpenSuSE 11.2.

When I try to connect over SSL with Microsoft Outlook it is working but
when I try to connect with Thunderbird I should install my certificate.

Errormessage:
Code:
could not verify this certificate for unknown reasons.

Any ideas?

OK now I solved it!!!
Here is the solution:

Code:
cat mykey.key mycert.crt sub.class1.server.crt dh.1024 >> all.crt
TLS_CERTFILE=all.crt


Thats all folks!


Regards,
xabbu


Last edited by xabbu on Mon Oct 11, 2010 8:27 pm, edited 1 time in total.

Top
 Profile E-mail  
 
 Post subject: Re: Thunderbird 3.1.2 ca untrusted?
PostPosted: Fri Sep 17, 2010 5:47 pm 
Offline

Joined: Fri Sep 17, 2010 5:40 pm
Posts: 2
Hi,

I have the same problem in Thunderbird 3.1.3 OSX.

Image

I guess it's because Thunderbird doesn't come with the correct CA, which is a shame. Is there anything we can do to fix this, without manually adding the CA in Thunderbird?

Thanks.


Top
 Profile E-mail  
 
 Post subject: Re: Thunderbird 3.1.2 ca untrusted?
PostPosted: Fri Sep 17, 2010 6:44 pm 
Offline

Joined: Fri Sep 17, 2010 5:40 pm
Posts: 2
It seems I solved my problem by adding the correct ca file in the config.

In my case, dovecot:

ssl_ca_file = /path/to/sub.class2.server.ca.pem

Regards


Top
 Profile E-mail  
 
 Post subject: Re: Thunderbird 3.1.2 ca untrusted?
PostPosted: Fri Sep 17, 2010 7:19 pm 
Offline

Joined: Thu Sep 16, 2010 8:50 pm
Posts: 6
Hmm, this doesn't work for me.
I'm using courier-imap.

Here is my imapd-ssl configuration:

Code:
SSLPORT=993
SSLADDRESS=-MYSERVERIP-
SSLPIDFILE=/var/run/imapd-ssl.pid
SSLLOGGEROPTS="-name=imapd-ssl"
IMAPDSSLSTART=YES
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=1
COURIERTLS=/usr/sbin/couriertls
TLS_PROTOCOL=SSL23
TLS_STARTTLS_PROTOCOL=TLS1
TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL@STRENGTH"
TLS_CIPHER_LIST="HIGH:MEDIUM"
TLS_KX_LIST=ALL
TLS_COMPRESSION=ALL
TLS_CERTS=X509
TLS_CERTFILE=/usr/share/courier-imap/imapd.pem
TLS_TRUSTCERTS=/etc/courier/ca-bundle.pem
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/var/couriersslcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir


I tried also the following TLS_TRUSTCERTS:

Code:
#TLS_TRUSTCERTS=/etc/ssl/cert.pem
TLS_TRUSTCERTS=/etc/courier/ca-bundle.pem
TLS_TRUSTCERTS=/etc/courier/sub.class2.client.ca.pem
TLS_TRUSTCERTS=/etc/courier/ca.pem
TLS_TRUSTCERTS=/etc/courier/sub.class1.server.ca.pem


I'm wondering why MS Outlook works without any warnings...

I tested it with:

Code:
openssl s_client -connect mail.mindorf-online.de:993 -CAfile ca-bundle.crt


And the answer looks good:

Code:
otherland:/etc/courier # openssl s_client -connect mail.mindorf-online.de:993 -CAfile ca-bundle.crt
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify return:1
depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 /description=258305-Q3Ms1OmnG0yalL3v/C=DE/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=mail.mindorf-online.de/emailAddress=postmaster@mindorf-online.de
verify return:1
---
Certificate chain
0 s:/description=258305-Q3Ms1OmnG0yalL3v/C=DE/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=mail.mindorf-online.de/emailAddress=postmaster@mindorf-online.de
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
...
subject=/description=258305-Q3Ms1OmnG0yalL3v/C=DE/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=mail.mindorf-online.de/emailAddress=postmaster@mindorf-online.de
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5457 bytes and written 465 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 1C93E88E1DB0AAE7B1A2827825D3D642230BC43A37C0A7411FC61A055368D398
    Session-ID-ctx:
    Master-Key: B4132C62B38600D761A29072C1CAFA4DB1A57573EFB2A58C9F7BBD5ED263548E085F5CFA4954774B09687188324F361E
    Key-Arg   : None
    Start Time: 1284740162
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc.  See COPYING for distribution information.


I don't understand why Thunderbird will not accept the certificate.
Firefox will do it if I use the certificate in my apache webserver...

Can someone help?

Best regards,
xabbu


Top
 Profile E-mail  
 
 Post subject: Re: Thunderbird 3.1.2 ca untrusted?
PostPosted: Fri Sep 17, 2010 10:31 pm 
Offline

Joined: Mon Oct 04, 2004 11:41 am
Posts: 712
Location: Israel
I just checked your server and the certificate is installed correctly for IMAP. But I suspect that the problem is with the SMTP server instead. It doesn't send the complete CA chain unlike your IMAP server. The error you are seeing originates there.


Top
 Profile E-mail  
 
 Post subject: Re: Thunderbird 3.1.2 ca untrusted?
PostPosted: Sat Sep 18, 2010 10:00 pm 
Offline

Joined: Thu Sep 16, 2010 8:50 pm
Posts: 6
Hmm strange,

becauseI see in my logs:

Code:
Sep 18 13:25:24 otherland imapd-ssl: couriertls: accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca


So it is not the smtpd but this I'll check also.

Have someone another idea?

Regards,
Soeren


Top
 Profile E-mail  
 
 Post subject: Re: Thunderbird 3.1.2 ca untrusted?
PostPosted: Sat Sep 18, 2010 11:56 pm 
Offline

Joined: Mon Oct 04, 2004 11:41 am
Posts: 712
Location: Israel
What log is that? Of your IMAP server?


Top
 Profile E-mail  
 
 Post subject: Re: Thunderbird 3.1.2 ca untrusted?
PostPosted: Sun Sep 19, 2010 7:59 am 
Offline

Joined: Thu Sep 16, 2010 8:50 pm
Posts: 6
Yes. It's /var/log/mail


Top
 Profile E-mail  
 
 Post subject: Re: Thunderbird 3.1.2 ca untrusted?
PostPosted: Tue Oct 05, 2010 10:39 pm 
Offline

Joined: Mon Oct 04, 2004 11:41 am
Posts: 712
Location: Israel
Not sure if this is for incoming or outgoing...but probably the Courier manual could tell you more about it.


Top
 Profile E-mail  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC + 2 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: