Problem using chained certificates

[Arne Brutschy]

Hello,

I hava a problem using chained certificates. My certificate chain looks 
like (ascii art ole!):

User has:     Root CA Cert
                   |
                   /
                   |
               Sub CA Cert
Server sends:      |
               Server Cert
So I tried to put all server side certificates (SubCA and Server cert) 
in one file:

-----BEGIN RSA PRIVATE KEY-----
 server private key
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
 server cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
 sub ca certs
-----END CERTIFICATE-----
This usually works with other servers (ie. UW IMAP). The server sends 
the complete certificate chain except the root certificate. This 
certificate is installed on the client, which can verify the complete chain.

However, this does not work with qpopper. Only the first certificate is 
being send over the net, so chain validation fails as the middle SubCA 
cert is missing.

This is was the openssl reference implementation returns:

# openssl s_client -connect server:995 -CApath /etc/ssl/cacerts/

------------------------------------------------------------
CONNECTED(00000003)
depth=0 /C=DE/O=Universitaet 
Leipzig/OU=URZ/CN=server1.rz.uni-leipzig.de/[EMAIL PROTECTED]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=DE/O=Universitaet 
Leipzig/OU=URZ/CN=server1.rz.uni-leipzig.de/[EMAIL PROTECTED]
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=DE/O=Universitaet 
Leipzig/OU=URZ/CN=server1.rz.uni-leipzig.de/[EMAIL PROTECTED]
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=DE/O=Universitaet 
Leipzig/OU=URZ/CN=server1.rz.uni-leipzig.de/[EMAIL PROTECTED]
   i:/C=DE/O=Universitaet Leipzig/OU=URZ/CN=Zertifizierungsstelle 
2004/[EMAIL PROTECTED]
---
Server certificate
-----BEGIN CERTIFICATE-----
 snip - certificate - snap
-----END CERTIFICATE-----
subject=/C=DE/O=Universitaet 
Leipzig/OU=URZ/CN=server1.rz.uni-leipzig.de/[EMAIL PROTECTED]
issuer=/C=DE/O=Universitaet Leipzig/OU=URZ/CN=Zertifizierungsstelle 
2004/[EMAIL PROTECTED]
---
No client certificate CA names sent
---
SSL handshake has read 1693 bytes and written 442 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID: <snip>
    Session-ID-ctx:
    Master-Key: <snip>
    Key-Arg   : None
    Start Time: 1084263274
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
+OK ready
------------------------------------------------------------

This has been tested with various clients (Mozilla/Thunderbird, Opera, 
TheBat!, Pegasus Mail), all with the same result.

Is this a bug in qpopper? I found a mail by Alan W. Rateliff, indicating 
that he had the same problem. (see "Chained Certs" in 
http://www.pensive.org/Mailing_Lists/Archives/Qpopper/Archive-2003-11-06.html)

Anyway, I found another mail indicating that certificate chaining _is_ 
possible in qpopper: 
http://lists.freebsd.org/pipermail/freebsd-questions/2004-March/038728.html

Is there any way around this bug? Has it been patched/addressed? Is it a 
 simple configuration error?

BTW, we're using qpopper 4.0.5

Thanks in advance,
Arne Brutschy