http://www.ritlabs.com New posts in SSL with SMTP/IMAP not working of forum at www.ritlabs.com [www.ritlabs.com] en http://backend.userland.com/rss2 Tue, 26 Oct 2004 18:19:46 +0300 SSL with SMTP/IMAP not working in forum The Bat! - Configuring the E-mail Client.
found it!

you MUST NOT use any subject alternate names!
and some mail clients accept the domain name only as CN.  RFC 2487 gives the advice to only use the domain name and not the FQDN as CN.  this is wrong for TB.  use the FQDN!

don't ask me why...

-closed-


26 October 2004 18:19:46, Ruppert von Teutul.]]> http://www.ritlabs.com/en/forums/forum4/topic382/message1479/ http://www.ritlabs.com/en/forums/forum4/topic382/message1479/ Tue, 26 Oct 2004 18:19:46 +0300 The Bat! - Configuring the E-mail Client SSL with SMTP/IMAP not working in forum The Bat! - Configuring the E-mail Client.
to make it easier:

who has a working openssl self-signed certificate for his servers and uses it with TB?
how did you generate it?
there seems to be something special in case of TB!


26 October 2004 14:12:29, Ruppert von Teutul.]]> http://www.ritlabs.com/en/forums/forum4/topic382/message1473/ http://www.ritlabs.com/en/forums/forum4/topic382/message1473/ Tue, 26 Oct 2004 14:12:29 +0300 The Bat! - Configuring the E-mail Client SSL with SMTP/IMAP not working in forum The Bat! - Configuring the E-mail Client.
-SUDDENLY MY POSTING DISAPPEARED-

Hi,

did anybody succeed in using openssl self-signed certificates with TB (v2.x)?

Some time ago we set up a mail server with TLS support. We give the CA's certificate to anybody using our mail server for import into the WinXP root certificate store. Everything worked fine for all mail clients (there are Outlook and one other I don't remember).

Now we have one person using TB. He is unable to connect to our mail server. He is unable to send mail (SMTP) and unable to receive mail (IMAP). We are using TLS directly from the start (no STARTTLS needed).

He gets messages like this in his TB log:
26.10.2004, 11:37:01: IMAP - Initiating TLS handshake
!26.10.2004, 11:37:01: IMAP - TLS handshake failure. Unsupported certificate
!26.10.2004, 11:37:01: IMAP - Could not connect to the server
26.10.2004, 11:37:29: SEND - sending mail messages - 1 messages in queue
26.10.2004, 11:37:29: SEND - Initiating TLS handshake
!26.10.2004, 11:37:29: SEND - TLS handshake failure. Unsupported certificate
26.10.2004, 11:37:29: SEND - connection finished - 0 messages sent
26.10.2004, 11:37:29: SEND - Some messages were not sent - check the log for details

The certificate we use is for no special purpose. That means we use general purpose certificates.
I already added the root cert into the address book. Did not help. I tried to add the mail server's cert into the address book but the address book told me that it is corrupted or not an s/mime certificate.
hmmm... it has no specific purpose. Where can I tell openssl to generate the correct certificate? And a certificate that works with all the other mail clients, too? Did we do something wrong when generating our certificate?

Any help is really welcome!

Thanks!
-rgvt-

An addition to that. I have an ssldump output attached. I think it comes from the server's certificate that is not accepted by TB:
1 1 0.0012 (0.0012) C>S Handshake
ClientHello
Version 3.1
cipher suites
Unknown value 0x35
Unknown value 0x2f
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
compression methods
NULL
1 2 0.0159 (0.0146) S>C Handshake
ServerHello
Version 3.1
cipherSuite TLS_RSA_WITH_RC4_128_SHA
compressionMethod NULL
1 3 0.0159 (0.0000) S>C Handshake
Certificate
1 4 0.0159 (0.0000) S>C Handshake
ServerHelloDone
1 5 0.0180 (0.0020) C>S Alert
level fatal
value unsupported_certificate


26 October 2004 11:20:01, Ruppert von Teutul.]]> http://www.ritlabs.com/en/forums/forum4/topic382/message1454/ http://www.ritlabs.com/en/forums/forum4/topic382/message1454/ Tue, 26 Oct 2004 11:20:01 +0300 The Bat! - Configuring the E-mail Client