[Pkg-openssl-devel] Bug#573889: Bug#573889: libssl0.9.8: unknown message digest algorithm error in dovecot

Marcus Jodorf bofh at killfile.de
Fri Mar 19 03:23:01 UTC 2010 

Kurt Roeckx wrote:

> With which program do you connect to dovecot?  Are you doing
> it with imap (port 143) or imaps (port 993)?

I tried icedove (2.0.0.22) and Apple Mail.
Icedove originally was set to use TLS with port 143 and Apple Mail had 
it's "use ssl" setting set which results in using port 993.
Both failed to connect to dovecot after the upgrade to libssl0.9.8m-(1/2).

I then tried icedove using port 993 too and it fails.


> Can you try connecting to it using s_client?  Something like:
> openssl s_client -connect localhost:143 -starttls imap -CAfile /etc/ssl/certs/dovecot.pem
> or:
> openssl s_client -connect localhost:993 -CAfile /etc/ssl/certs/dovecot.pem
> 
> Does that work?  Does that produce anything in the log file
> indicating an error with tls/ssl?

With libssl0.9.8m-2:

bofh at hydrogen:~$ openssl s_client -connect localhost:143 -starttls imap 
-CAfile /etc/ssl/certs/dovecot.pem
CONNECTED(00000003)
depth=1 /C=DE/O=****/OU=CA authority/CN=**** 
CA/emailAddress=hostmaster@****.de
verify error:num=19:self signed certificate in certificate chain
verify return:0
5768:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:188:

Logfile:
Mar 19 03:42:54 hydrogen dovecot: imap-login: Disconnected (no auth 
attempts): rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() 
failed: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown 
message digest algorithm


Now using port 993:

bofh at hydrogen:~$ openssl s_client -connect localhost:993 -CAfile 
/etc/ssl/certs/dovecot.pem
CONNECTED(00000003)
depth=1 /C=DE/O=****/OU=CA authority/CN=**** 
CA/emailAddress=hostmaster@****.de
verify error:num=19:self signed certificate in certificate chain
verify return:0
5987:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:188:

Logfile:
Mar 19 03:54:36 hydrogen dovecot: imap-login: Disconnected (no auth 
attempts): rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() 
failed: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown 
message digest algorithm


After going back from libssl0.9.8m-2 to libssl0.9.8_0.9.8k-8 and 
restarting dovecot all works fine again (as it did the last few years):

bofh at hydrogen:~$ openssl s_client -connect localhost:143 -starttls imap 
-CAfile /etc/ssl/certs/dovecot.pem
CONNECTED(00000003)
depth=1 /C=DE/O=****/OU=CA authority/CN=**** 
CA/emailAddress=hostmaster@****.de
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
  0 s:/C=DE/O=********.de/OU=mail 
services/CN=mailhost.********.de/emailAddress=postmaster@********.de
    i:/C=DE/O=****/OU=CA authority/CN=**** 
CA/emailAddress=hostmaster@****.de
  1 s:/C=DE/O=****/OU=CA authority/CN=**** 
CA/emailAddress=hostmaster@****.de
    i:/C=DE/O=****/OU=CA authority/CN=**** 
CA/emailAddress=hostmaster@****.de
---
Server certificate
-----BEGIN CERTIFICATE-----

**shortened**

-----END CERTIFICATE-----
subject=/C=DE/O=****.de/OU=mail 
services/CN=mailhost.****.de/emailAddress=postmaster@****.de
issuer=/C=DE/O=****/OU=CA authority/CN=**** 
CA/emailAddress=hostmaster@****.de
---
No client certificate CA names sent
---
SSL handshake has read 4245 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DHE-RSA-AES256-SHA
     Session-ID: 
D452D27272507C8F56C1D86643A8AC8C7BC555E718440AC737F299E8BE397EB2
     Session-ID-ctx:
     Master-Key: 
C1CB9A54BF521634A4725790A2BDB43F806B745BBDF322DB01137721E5ED334B03564352469FA6D4072279B6C30B76E5
     Key-Arg   : None
     Start Time: 1268967813
     Timeout   : 300 (sec)
     Verify return code: 19 (self signed certificate in certificate chain)
---
. OK Capability completed.
* BYE Disconnected for inactivity.
closed


Using port 993:

bofh at hydrogen:~$ openssl s_client -connect localhost:993 -CAfile 
/etc/ssl/certs/dovecot.pem
CONNECTED(00000003)
depth=1 /C=DE/O=****/OU=CA authority/CN=**** 
CA/emailAddress=hostmaster@****.de
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
  0 s:/C=DE/O=********.de/OU=mail 
services/CN=mailhost.********.de/emailAddress=postmaster@********.de
    i:/C=DE/O=****/OU=CA authority/CN=**** 
CA/emailAddress=hostmaster@****.de
  1 s:/C=DE/O=****/OU=CA authority/CN=**** 
CA/emailAddress=hostmaster@****.de
    i:/C=DE/O=****/OU=CA authority/CN=**** 
CA/emailAddress=hostmaster@****.de
---
Server certificate
-----BEGIN CERTIFICATE-----

**shortened***

-----END CERTIFICATE-----
subject=/C=DE/O=****.de/OU=mail 
services/CN=mailhost.****.de/emailAddress=postmaster@****.de
issuer=/C=DE/O=****/OU=CA authority/CN=**** 
CA/emailAddress=hostmaster@****.de
---
No client certificate CA names sent
---
SSL handshake has read 3723 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DHE-RSA-AES256-SHA
     Session-ID: 
D04E6459CE760E5ADC0FFAAEEDFE08E07B14DE6D5C84FD6B4DE767A8C7C1A19E
     Session-ID-ctx:
     Master-Key: 
F26A201431F9E1C7B7F80FFF033C4959D1F729FDD2CF460537EC6B5D154689FCEFC72AF03A7A4C38D68CA943C91BDCAA
     Key-Arg   : None
     Start Time: 1268968202
     Timeout   : 300 (sec)
     Verify return code: 19 (self signed certificate in certificate chain)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE 
AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Imapd ready.

> I need some way to reproduce this.

I'll try to find time at the weekend to find a way to reproduce this.


Marcus

More information about the Pkg-openssl-devel mailing list