Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)

2017-03-23 Thread Ralf Hildebrandt 
* Aki Tuomi :

> > Still there in auto11
> >
> Yes, we have not gotten round fixing it. Did you remove < from the path?

Of course :)

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)

2017-03-23 Thread Aki Tuomi 


On 23.03.2017 11:59, Ralf Hildebrandt wrote:
> * Ralf Hildebrandt :
>
>> Mar 20 16:10:17 mproxy dovecot: master: Dovecot v2.2.devel (a39b5b2) 
>> starting up for imap
>> Mar 20 16:10:26 mproxy dovecot: auth: Error: 
>> imapc(exchange-imap.charite.de:993): Couldn't initialize SSL context: Can't 
>> verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>> Mar 20 16:10:26 mproxy dovecot: auth: Error: 
>> imapc(exchange-imap.charite.de:993): No SSL context
>> Mar 20 16:10:26 mproxy dovecot: auth: Error: 
>> imap(hildeb,141.42.206.36,): Disconnected from server
>> Mar 20 16:10:26 mproxy dovecot: imap-login: Warning: Auth connection closed 
>> with 1 pending requests (max 0 secs, pid=1747, EOF)
>> Mar 20 16:10:26 mproxy dovecot: auth: Fatal: master: service(auth): child 
>> 1748 killed with signal 11 (core dumped)
> Still there in auto11
>
Yes, we have not gotten round fixing it. Did you remove < from the path?

Aki

Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)

2017-03-23 Thread Ralf Hildebrandt 
* Ralf Hildebrandt :

> Mar 20 16:10:17 mproxy dovecot: master: Dovecot v2.2.devel (a39b5b2) starting 
> up for imap
> Mar 20 16:10:26 mproxy dovecot: auth: Error: 
> imapc(exchange-imap.charite.de:993): Couldn't initialize SSL context: Can't 
> verify remote server certs without trusted CAs (ssl_client_ca_* settings)
> Mar 20 16:10:26 mproxy dovecot: auth: Error: 
> imapc(exchange-imap.charite.de:993): No SSL context
> Mar 20 16:10:26 mproxy dovecot: auth: Error: 
> imap(hildeb,141.42.206.36,): Disconnected from server
> Mar 20 16:10:26 mproxy dovecot: imap-login: Warning: Auth connection closed 
> with 1 pending requests (max 0 secs, pid=1747, EOF)
> Mar 20 16:10:26 mproxy dovecot: auth: Fatal: master: service(auth): child 
> 1748 killed with signal 11 (core dumped)

Still there in auto11

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)

2017-03-20 Thread Ralf Hildebrandt 
* Ralf Hildebrandt :
> * Aki Tuomi :
> 
> > Could you send us the gdb bt full backtrace for the core file? 
> 
> Currently I can't get it to create coredumps

Got a coredump and backtrace:
=

Mar 20 16:10:17 mproxy dovecot: master: Dovecot v2.2.devel (a39b5b2) starting 
up for imap
Mar 20 16:10:26 mproxy dovecot: auth: Error: 
imapc(exchange-imap.charite.de:993): Couldn't initialize SSL context: Can't 
verify remote server certs without trusted CAs (ssl_client_ca_* settings)
Mar 20 16:10:26 mproxy dovecot: auth: Error: 
imapc(exchange-imap.charite.de:993): No SSL context
Mar 20 16:10:26 mproxy dovecot: auth: Error: 
imap(hildeb,141.42.206.36,): Disconnected from server
Mar 20 16:10:26 mproxy dovecot: imap-login: Warning: Auth connection closed 
with 1 pending requests (max 0 secs, pid=1747, EOF)
Mar 20 16:10:26 mproxy dovecot: auth: Fatal: master: service(auth): child 1748 
killed with signal 11 (core dumped)

and the backtrace:

# gdb -q /usr/lib/dovecot/auth 1748
Reading symbols from /usr/lib/dovecot/auth...Reading symbols from
/usr/lib/debug/.build-id/7a/66f9b5902485fd23f1f3dbab6479c1214f4ef1.debug...done.
done.
Attaching to program: /usr/lib/dovecot/auth, process 1748
ptrace: No such process.
[New LWP 1748]
Core was generated by dovecot/auth'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x7f61e2af2226 in array_append_i (count=, 
data=, array=) at ../../src/lib/array.h:168
168../../src/lib/array.h: No such file or directory.

(gdb) bt full

#0  0x7f61e2af2226 in array_append_i (count=, 
data=, array=) at ../../src/lib/array.h:168
No locals.
#1  imapc_connection_abort_commands_array 
(cmd_array=cmd_array@entry=0x557d24fbcea0, 
dest_array=dest_array@entry=0x7ffef84bf690, only_box=only_box@entry=0x0, 
keep_retriable=keep_retriable@entry=false)
at imapc-connection.c:289
  cmd = 0x41
  i = 0
#2  0x7f61e2af251a in imapc_connection_abort_commands (conn=0x557d24fbcdc0, 
only_box=0x0, keep_retriable=) at imapc-connection.c:303
cmdp = 
cmd = 
tmp_array = {arr = {buffer = 0x557d24f82960, element_size = 8}, v = 
0x557d24f82960, v_modifiable = 0x557d24f82960}
reply = {state = IMAPC_COMMAND_STATE_DISCONNECTED, resp_text_key = 0x0, 
resp_text_value = 0x0, text_full = 0x7f61e2af6316 "Disconnected from server", 
  text_without_resp = 0x7f61e2af6316 "Disconnected from server"}
#3  0x7f61e39e6a92 in io_loop_call_io (io=0x557d24f9bcd0) at ioloop.c:599
ioloop = 0x557d24f8a810
t_id = 2
__FUNCTION__ = "io_loop_call_io"
#4  0x7f61e39e80ea in io_loop_handler_run_internal 
(ioloop=ioloop@entry=0x557d24f8a810) at ioloop-epoll.c:223
ctx = 0x557d24f92310
io = 
tv = {tv_sec = 29, tv_usec = 999177}
events_count = 
msecs = 
ret = 1
i = 0
j = 
call = 
__FUNCTION__ = "io_loop_handler_run_internal"
#5  0x7f61e39e6b2c in io_loop_handler_run 
(ioloop=ioloop@entry=0x557d24f8a810) at ioloop.c:648
No locals.
#6  0x7f61e39e6cd8 in io_loop_run (ioloop=0x557d24f8a810) at ioloop.c:623
__FUNCTION__ = "io_loop_run"
#7  0x7f61e396e7d3 in master_service_run (service=0x557d24f8a6b0, 
callback=) at master-service.c:641
No locals.
#8  0x557d2303f31e in main (argc=1, argv=0x557d24f8a390) at main.c:400
c = 
(gdb) 

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München
   
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)

2017-03-20 Thread Ralf Hildebrandt 
* Aki Tuomi :

> Could you send us the gdb bt full backtrace for the core file? 

Currently I can't get it to create coredumps

doveconf -n:

# 2.2.devel (3f97702): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.devel (023f391)
# OS: Linux 4.4.0-65-generic x86_64 Ubuntu 16.04.2 LTS 
auth_mechanisms = plain login
default_vsz_limit = 1 G
imapc_host = exchange-imap.charite.de
imapc_port = 993
imapc_ssl = imaps
imapc_ssl_verify = no
listen = *,::
mail_gid = imapproxy
mail_home = /home/imapproxy/%u
mail_location = imapc:~/imapc
mail_plugins = mail_log notify
mail_uid = imapproxy
passdb {
  args = host=exchange-imap.charite.de port=993 ssl=imaps
  default_fields = userdb_imapc_user=%u userdb_imapc_password=%w 
userdb_imapc_host=exchange-imap.charite.de userdb_imapc_ssl=imaps 
userdb_imapc_port=993
  driver = imap
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = imap
service auth {
  inet_listener {
address = 127.0.0.1
port = 12345
  }
}
ssl = required
ssl_ca = http://www.charite.de

Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)

2017-03-20 Thread Aki Tuomi 


On 20.03.2017 16:40, Ralf Hildebrandt wrote:
> * Aki Tuomi :
>>
>> On 20.03.2017 14:30, Ralf Hildebrandt wrote:
>>> ssl_client_ca_file = > Leave the < out. It is misleading, I know, but it does say file. =)
> Makes no difference:
>
> # doveconf |fgrep ssl_client_ca
> ssl_client_ca_dir = 
> ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt
>
> and with auto8 I still get:
>
> Mar 20 15:38:20 mproxy dovecot: auth: Error: 
> imapc(exchange-imap.charite.de:993): Couldn't initialize SSL context: Can't 
> verify remote server certs without trusted CAs (ssl_client_ca_* settings)
> Mar 20 15:38:20 mproxy dovecot: auth: Error: 
> imapc(exchange-imap.charite.de:993): No SSL context
> Mar 20 15:38:20 mproxy dovecot: auth: Error: 
> imap(hildeb,141.42.206.36,): Disconnected from server
> Mar 20 15:38:20 mproxy dovecot: imap-login: Warning: Auth connection closed 
> with 1 pending requests (max 0 secs, pid=52992, EOF)
> Mar 20 15:38:20 mproxy dovecot: auth: Fatal: master: service(auth): child 
> 52990 killed with signal 11 (core dumped)
>
> going back to auto6 and everything is peachy again.
>

Hi!

Could you send us the gdb bt full backtrace for the core file? Also, can
you send doveconf -n?

Aki

Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)

2017-03-20 Thread Ralf Hildebrandt 
* Aki Tuomi :
> 
> 
> On 20.03.2017 14:30, Ralf Hildebrandt wrote:
> > ssl_client_ca_file =  
> Leave the < out. It is misleading, I know, but it does say file. =)

Makes no difference:

# doveconf |fgrep ssl_client_ca
ssl_client_ca_dir = 
ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt

and with auto8 I still get:

Mar 20 15:38:20 mproxy dovecot: auth: Error: 
imapc(exchange-imap.charite.de:993): Couldn't initialize SSL context: Can't 
verify remote server certs without trusted CAs (ssl_client_ca_* settings)
Mar 20 15:38:20 mproxy dovecot: auth: Error: 
imapc(exchange-imap.charite.de:993): No SSL context
Mar 20 15:38:20 mproxy dovecot: auth: Error: 
imap(hildeb,141.42.206.36,): Disconnected from server
Mar 20 15:38:20 mproxy dovecot: imap-login: Warning: Auth connection closed 
with 1 pending requests (max 0 secs, pid=52992, EOF)
Mar 20 15:38:20 mproxy dovecot: auth: Fatal: master: service(auth): child 52990 
killed with signal 11 (core dumped)

going back to auto6 and everything is peachy again.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)

2017-03-20 Thread Aki Tuomi 


On 20.03.2017 14:30, Ralf Hildebrandt wrote:
> ssl_client_ca_file =

Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)

2017-03-20 Thread Ralf Hildebrandt 
* Ralf Hildebrandt :
> * Ralf Hildebrandt :
> > Hi!
> > 
> > I upgraded the 2.2 packages today (from 2:2.2.28-1~auto+5 to 
> > 2:2.2.28-1~auto+8) I now I'm getting an error:
> 
> I was able to determine the last working version: 2:2.2.28-1~auto+6
> and the first "broken" version:   2:2.2.28-1~auto+7

2:2.2.28-1~auto+7 CHANGES file 
(http://xi.dovecot.fi/debian/pool/jessie-auto/dovecot-2.2/dovecot_2.2.28-1~auto+7_amd64.changes)
says:

New revision (a39b5b2852f2) in dovecot Git repository

...
 - lib-ssl-iostream: Ensure verify_remote_cert is true
 - lib-ssl-iostream: Fix ambiguity with SSL settings
...   

I think one of these two could be the culprit
-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)

2017-03-20 Thread Ralf Hildebrandt 
* Ralf Hildebrandt :
> Hi!
> 
> I upgraded the 2.2 packages today (from 2:2.2.28-1~auto+5 to 
> 2:2.2.28-1~auto+8) I now I'm getting an error:

I was able to determine the last working version: 2:2.2.28-1~auto+6
and the first "broken" version:   2:2.2.28-1~auto+7

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de