Hello Lars, On Fri, Apr 01, 2016 at 08:24:23PM +0200, Dr. Lars Hanke wrote: > I'm running icedove for years as MUA via IMAP for my Cyrus2 mail > server. Access has been encrypted using TLS on port 143 for many > years. Recently, it suddenly ceased working. In the relevant time > frame I updated icedove and had to renew the server certificate.
You don't show any public data of the certificate, so we are impossible to detect the problem in detail. Note also there is a old entry in the Debian Wiki for Icedove around such issues: https://wiki.debian.org/Icedove#Icedove_seems_impossible_to_send_mails_via_STARTLS_after_installation_of_libnss_3.14-1 > I can contact the mail server using openssl s_client. And of course by > falling back to plain text access. Wireshark shows that an apparently > normal STARTTLS sequence is answered by icedove with "Bad > Certificate", immediately. That's the reason why Icedove isn't doing anything further, the question is why NSS is thinking the certificate is bad. By the way, STARTTLS isn't the best choice if you want TLS encrypted connections. Just switch to SSL/TLS (default 993) instead. > However, from UI perspective icedove seems > to hang infinitely. There is no message about problems with > certificates shown to the user. This at least should be considered a > bug. This is a upstream related thing so the bug report has to be addressed to the Mozilla bugtracker for this issue. > Beyond that I cannot find any actual problems with the certificates in > the chain. I am able to import both, server and CA, into icedoves > certificate store. Inspecting the details of the server certificate > correctly lists the CA certificate in the tree view. But still > connection fails the same way. At least the website https://de.ssl-tools.net/mailservers show up the MX for lhanke.de is using SSLv3 that is isn't secure anymore. And there is a hostname mismatch in the certificate chain. I assume we are talking about lhanke.de. On the website https://www.ssllabs.com/ssltest/index.html can more checks automatically done if needed. > I'd expect icedove to complain about the certificates also when > importing them into the store, if there is actually an issue with > them. Yes, I agree on that. But right after an import of a CA there maybe problems that can not be detected because the algo just can analyze the plain structure of the files. Unfortunately the whole certificate and encryption is a complex thing. I don't expect much progress on this n the upstream side, we as maintainer can't do much here. > The example log using NSPR_LOG_MODULES=all:5 published there neither > revealed anything useful. I wont believe that. :-) There are always some informations visible that helping to encircle the problems. Regards Carsten
