Arch Linux

3wen

Member

Registered: 2014-06-11

Posts: 5

[Solved] OfflineIMAP, OpenSSL and untrusted certificate

Hi,

I am going through some issues configuring OfflineIMAP.
One of my email accounts is hosted on a server whose certificate is not valid, openssl s_client -showcerts -connect <domain>:<port> returns:

Verify return code: 21 (unable to verify the first certificate)

And naturally, OfflineIMAP doesn't like it much:

ERROR: Unknown SSL protocol connecting to host '<domain>' for repository 'remote-account'. OpenSSL responded:
[Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

So I tried as much as I could to RTFM, but my knowledge about certificates is quite null. For now, I tried to pull the certificate (the one I see in my openssl s_client -showcerts -connect <domain>:<port> response), save it in /usr/share/ca-certificates/extra and run update-ca-certificates. Result: I have a new .pem symlink in my /etc/ssl/certs, but I have the same responses from both OpenSSL and OfflineIMAP.

Any ideas?
Thank you in advance,
3wen

Last edited by 3wen (2014-06-12 09:51:24)

-Syu

Member

Registered: 2012-01-24

Posts: 29

Re: [Solved] OfflineIMAP, OpenSSL and untrusted certificate

Weird, the docs say:

by default we will not verify the certificate of an IMAP TLS/SSL server we connect to

Anyway, did you add the path to your certificate to /etc/ca-certificates.conf before you ran update-ca-certificates?

Oh and welcome to the forums!

progandy

Member

Registered: 2012-05-17

Posts: 5,263

Re: [Solved] OfflineIMAP, OpenSSL and untrusted certificate

If you are using /etc/ssl/certs/ca-certificates.crt, then I suggest you store your certificate as /usr/local/share/ca-certificates/personal_imap.crt, then run update-ca-certificates as root.
Edit: Storing the certificate in /usr/local serves two purposes. First, it cleanly separates pacman managed files from your local ones. Second, it allows you to use the certificate without changing /etc/ca-certificates.conf.

Last edited by progandy (2014-06-11 21:20:55)

---

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

3wen

Member

Registered: 2014-06-11

Posts: 5

Re: [Solved] OfflineIMAP, OpenSSL and untrusted certificate

Thank you for your replies.

-Syu: The docs is right. I added the option ssl=yes because without it, I didn't have anything, OfflineIMAP was stuck: Establishing connection to <domain>:993 (same thing for the port 143). But with mutt, for instance, the port 993 worked nicely (I had a warning concerning the certificate, but that was all).

progandy: Alright, I did what you advised me. Do I have to do something else? Because I still have error 21 with OpenSSL.

Now I have a pretty general question: what I am doing is trying to make openSSL accept a certificate that is not valid, right? Is it truly possible?
Thanks again!

rune0077

Member

Registered: 2009-04-11

Posts: 135

Re: [Solved] OfflineIMAP, OpenSSL and untrusted certificate

Can you show the entire output of openssl command?

3wen

Member

Registered: 2014-06-11

Posts: 5

Re: [Solved] OfflineIMAP, OpenSSL and untrusted certificate

Sure, here it is:

$ openssl s_client -showcerts -connect imap.sb-roscoff.fr:993                                                                                                                           ~ 
CONNECTED(00000003)
depth=0 C = FR, O = CNRS, OU = FR2424, CN = mailer.sb-roscoff.fr, emailAddress = rootmaster@sb-roscoff.fr
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = FR, O = CNRS, OU = FR2424, CN = mailer.sb-roscoff.fr, emailAddress = rootmaster@sb-roscoff.fr
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = FR, O = CNRS, OU = FR2424, CN = mailer.sb-roscoff.fr, emailAddress = rootmaster@sb-roscoff.fr
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=FR/O=CNRS/OU=FR2424/CN=mailer.sb-roscoff.fr/emailAddress=rootmaster@sb-roscoff.fr
   i:/C=FR/O=CNRS/CN=CNRS2-Standard
-----BEGIN CERTIFICATE-----
MIIEWTCCA0GgAwIBAgICO+IwDQYJKoZIhvcNAQEFBQAwNTELMAkGA1UEBhMCRlIx
DTALBgNVBAoTBENOUlMxFzAVBgNVBAMTDkNOUlMyLVN0YW5kYXJkMB4XDTExMDcy
MTE0MDcyN1oXDTEzMDcyMDE0MDcyN1owdTELMAkGA1UEBhMCRlIxDTALBgNVBAoT
BENOUlMxDzANBgNVBAsTBkZSMjQyNDEdMBsGA1UEAxMUbWFpbGVyLnNiLXJvc2Nv
ZmYuZnIxJzAlBgkqhkiG9w0BCQEWGHJvb3RtYXN0ZXJAc2Itcm9zY29mZi5mcjCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA17GOKyiYNebm8eB2BmUV7B6BeuEa
Rx0CzobQq2aSaqvVtYksRZHdvHSaptO84WgLOn+o+mx4m55dyzQrGcAUYpvDbznf
lxeMuf247IaEtu8f5iiQZakwQotzpyc95MeOeQ32areFhIMkQwWekKfABNchqxVp
TwJfKNe8cCgYgaMCAwEAAaOCAbUwggGxMAwGA1UdEwEB/wQCMAAwEQYJYIZIAYb4
QgEBBAQDAgbAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwMAYJYIZIAYb4QgENBCMWIUNlcnRpZmljYXQgc2VydmV1ciBDTlJT
Mi1TdGFuZGFyZDAdBgNVHQ4EFgQUkwDz1/U2xdFzPU3o3zgTtbSptHEwVAYDVR0j
BE0wS4AUEePZ0VJHG1mxPBt4Zmv0oYjtCluhMKQuMCwxCzAJBgNVBAYTAkZSMQ0w
CwYDVQQKEwRDTlJTMQ4wDAYDVQQDEwVDTlJTMoIBAzBvBgNVHREEaDBmghRtYWls
ZXIuc2Itcm9zY29mZi5mcoIScG9wcy5zYi1yb3Njb2ZmLmZyghNpbWFwcy5zYi1y
b3Njb2ZmLmZyghJpbWFwLnNiLXJvc2NvZmYuZnKCEXBvcC5zYi1yb3Njb2ZmLmZy
MEcGA1UdHwRAMD4wPKA6oDiGNmh0dHA6Ly9jcmxzLnNlcnZpY2VzLmNucnMuZnIv
Q05SUzItU3RhbmRhcmQvZ2V0ZGVyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAGklf
tLgSYABM0/L+4CTaul9zqef48gKhan6o/eWjvKma/d99pxG96GOGm76xkihyoX3c
2IqgfGERAlM1H9UMcNe3053MilPxV+x3anAw2yrZ+sttBJgn3fUOwNThhNBN6Ib9
NVpmXKqhpUD7t0j9TX+uZZniz9cG63GHunF5zDkwKGW34ENNRIpJDvZskN6LPDcZ
O5uh9NntHzgE5fO3pBmsRsjf4lyLGfCoz8opB+KZRbDiHmRPCBIXcs5n6cKOWpHd
nuG1z3LxOjtbiOzHeeh7at7ZW0iOjHFW7n/WFWv4cdwJd5D6JEYuFHIyYvCeHhix
XlArpcuE8F4YCqVOvA==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=FR/O=CNRS/OU=FR2424/CN=mailer.sb-roscoff.fr/emailAddress=rootmaster@sb-roscoff.fr
issuer=/C=FR/O=CNRS/CN=CNRS2-Standard
---
No client certificate CA names sent
---
SSL handshake has read 1286 bytes and written 518 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 17A81AFF8A65673223E658D66F1C3F866A9BAAAC8CD8C5C6ACDD60918CC7A9FA
    Session-ID-ctx: 
    Master-Key: D84966D3EF1B0FC2A36914042862ABE881A9FF3EA8DFF3C385F5FF583A98310DC70E3CC0342B34F1E8B6691C9C4A779C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Compression: 1 (zlib compression)
    Start Time: 1402552459
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=LOGIN AUTH=PLAIN SASL-IR] sb-roscoff Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-12.el5_7.1 server ready
DONE

progandy

Member

Registered: 2012-05-17

Posts: 5,263

Re: [Solved] OfflineIMAP, OpenSSL and untrusted certificate

You can improve the situation if you install the CNSR2 and CNSR2-Standard CAs to /usr/local/...
https://igc.services.cnrs.fr/CNRS2-Stan … ew_ca.html (in column Récupération dans un fichier)

Then the only problem is that the certificate is expired.

openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt  -showcerts -connect imap.sb-roscoff.fr:993 

Last edited by progandy (2014-06-12 08:58:35)

---

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

3wen

Member

Registered: 2014-06-11

Posts: 5

Re: [Solved] OfflineIMAP, OpenSSL and untrusted certificate

You can improve the situation if you install the CNSR2 and CNSR2-Standard CAs to /usr/local/...
https://igc.services.cnrs.fr/CNRS2-Stan … ew_ca.html (in column Récupération dans un fichier)

Then the only problem is that the certificate is expired.

openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt  -showcerts -connect imap.sb-roscoff.fr:993 

Thanks, now I indeed have only the "expired certificate" problem. But OfflineIMAP still doesn't like it…
Speaking of OfflineIMAP, do you think it's normal that when I set ssl=no, I have no answer from the server?

progandy

Member

Registered: 2012-05-17

Posts: 5,263

Re: [Solved] OfflineIMAP, OpenSSL and untrusted certificate

Then try to use cert_fingerprint and remove sslcacertfile for this server.

---

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

3wen

Member

Registered: 2014-06-11

Posts: 5

Re: [Solved] OfflineIMAP, OpenSSL and untrusted certificate

This is it! It works!
I already tried to put this option, but I wrote the MD5 fingerprint, and apparently OfflineIMAP requires the SHA1 fingerprint.

Thanks again, problem solved! \o/