[ingo] TLS & Managesieve & dovecot
Jan Schneider
jan at horde.org
Thu Mar 10 16:04:44 UTC 2022
openssl s_client -connect localhost:4190 probably won't work, because
it sounds like you have setup Managesieve with STARTTLS support.
That's what openssl's -starttls option is for, but that unfortunately
doesn't support the managesieve protocol.
Also this message:
unknown ca: SSL alert number 48
already points to the issue, that the certificate's CA is not known on
the client machine.
Zitat von Prößler, Reinhard <reinhard.proessler at uni-hamburg.de>:
> Hello Ralf
>
>
>
> Yes, and i will look deeper in the result.
>
>
>
> # openssl s_client -connect localhost:4190
>
> CONNECTED(00000003)
>
> 139667961669440:error:1408F10B:SSL routines:ssl3_get_record:wrong
> version number:ssl/record/ssl3_record.c:332:
>
> ---
>
> no peer certificate available
>
> ---
>
> No client certificate CA names sent
>
> ---
>
> SSL handshake has read 5 bytes and written 293 bytes
>
> Verification: OK
>
> ---
>
> New, (NONE), Cipher is (NONE)
>
> Secure Renegotiation IS NOT supported
>
> Compression: NONE
>
> Expansion: NONE
>
> No ALPN negotiated
>
> Early data was not sent
>
> Verify return code: 0 (ok)
>
>
>
> Mit freundlichem Gruß
>
>
>
> Reinhard Prößler
>
>
>
> Universitaet Hamburg
>
> Regionales Rechenzentrum
>
> Basis Infrastruktur (BIN)
>
> Schlueterstrasse 70
>
> D-20146 Hamburg
>
>
>
> Tel: +4940 42838 7121
>
>
>
> Von: Ralf Lang <lang at b1-systems.de>
> Gesendet: Donnerstag, 10. März 2022 10:20
> An: Prößler, Reinhard <reinhard.proessler at uni-hamburg.de>;
> ingo at lists.horde.org
> Betreff: Re: [ingo] TLS & Managesieve & dovecot
>
>
>
> Hi Reinhard,
>
> Am 10.03.2022 um 10:08 schrieb Prößler, Reinhard:
>
> Dear colleagues
>
>
>
> Currently I setup a Horde Groupware system on SuSE SLES 15.3 and OpenSuse
> 15.3, Horde Groupware is installed via PEAR.
>
> All works fine, Mail goes in and out, TLS Imap is ok.
>
> Even Horde Ingo with connection to Dovecot managesieve works fine. With
> Plain authentication and without TLS.
>
>
>
> If I enable TLS in ingo/config/backend.local.php:
>
>
>
> // Hostname of the timsieved server
>
> 'hostspec' => 'localhost',
>
> // Login type of the server
>
> 'logintype' => 'PLAIN',
>
> // Enable/disable TLS encryption
>
> 'usetls' => true,
>
> // Port number of the timsieved server
>
> 'port' => 4190,
>
> // Name of the sieve script
>
> 'scriptname' => 'ingo',
>
> // Enable debugging. The sieve protocol communication is
>
> // logged with the DEBUG level.
>
> 'debug' => true,
>
>
>
> Then it fails and I get an error:
>
> ###
>
> ar 10 10:03:52 s0 HORDE[14191]: [ingo] PHP ERROR:
> stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL
> Error messages:
>
> Mar 10 10:03:52 s0 HORDE[14191]: error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed [pid 14191
> on line 1404 of "/usr/share/php7/PEAR/Net/Sieve.php"]
>
> Mar 10 10:03:52 s0 dovecot[15382]: managesieve-login: Disconnected:
> Connection closed: SSL_accept() failed: error:14094418:SSL
> routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48 (no
> auth attempts in 0 secs): user=<>, rip=::1, lip=::1, TLS handshaking:
> SSL_accept() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert
> unknown ca: SSL alert number 48, session=<2pFBftnZ1OAAAAAAAAAAAAAAAAAAAAAB>
>
>
> can you provide the output of
>
>
>
> openssl s_client -connect <hostname> : <port>
>
>
>
> run on the Horde VM connecting to the managesieve port on the sieve VM?
>
> possible issues:
> - No common TLS version / cipher suite allowed between both parties
> - Certificate CA not known to openssl
--
Jan Schneider
The Horde Project
https://www.horde.org/
More information about the ingo
mailing list