Re: Problems with pop3s on Outlook Express
Hi there, On Wed, 31 Oct 2001, Tom Karches wrote: Corin Hartland-Swann wrote: I've replaced the 'localhost' certificates with mine, and it now works fine on Windows 2000, and almost works with MacOS. When you hit Send Receive Mail on MacOS it prompts you for a password. I found a reference to this at http://ist.uwaterloo.ca/security/IST-CA/ IE5/Mac problems: Internet Explorer v5 for the Mac/Apple has several notable bugs -- it does not import our certificate properly (for reasons which escape us it wants to save it with a password which means every time you use it you need to recall that password). You should use Netscape on the Mac/Apple platform if you access secure pages protected by our certificate. 16-Feb-2001. FWIW, I have been unable to get IE on the Mac or PC to accept certificates from a CA other than the ones that are part of the default set. Self-signed certificates cause IE on the Mac to generate an endless stream of errors. Do you know which version and build you were using? I finally gave up and purchased a certificate from Thawte and everything works perfectly now. It seems to work OK with mine (version 5.0, build 2022) except for the password bit. It's not too bad because you can set an empty password, and it seems to only prompt once per session (i.e. until you exit Outlook/Explorer and then go back in). But I would like to sort it out because it doesn't make any sense prompting for it when there's no password set. Thanks, Corin /+-\ | Corin Hartland-Swann |Tel: +44 (0) 20 7491 2000| | Commerce Internet Ltd |Fax: +44 (0) 20 7491 2010| | 22 Cavendish Buildings | Mobile: +44 (0) 79 5854 0027| | Gilbert Street | | | Mayfair|Web: http://www.commerce.uk.net/ | | London W1K 5HJ | E-Mail: [EMAIL PROTECTED]| \+-/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problems with pop3s on Outlook Express
Hi there, I have been trying to set up pop3s access using UW-IMAP. I am using Mandrake Linux 8.1, with UW-IMAP and OpenSSL installed as RPMs, so I don't think that there are any compilation problems. I hope that it is acceptable to post this to both the OpenSSL and the UW-IMAP mailing lists, as I'm not sure where the problem lies. I have already searched the archives for both lists to no avail. I have followed instructions from various sources and done the following: 1) Created a new CA, and exported the certificate as DER: # openssl req -new -x509 -config openssl.conf -keyout private/ca-key.pem \ -out certs/ca-cert.pem -days 365 # openssl x509 -in certs/ca-cert.pem -out certs/ca-cert.der -outform der 2) Imported the CA certificate into Explorer on Windows 2000, checked that it is listed and that the SHA1 thumbprint matches, and that it is enabled for Secure E-Mail. 3) Imported the CA certificate into Explorer on MacOS 9.1, and checked that it is listed. In this case, even after several attempts, the fingerprint listed by Explorer does not match any of the MD2, MD5, SHA1 or MDC2 fingerprints. I don't understand this, but am fairly sure that no-one is intercepting and replacing the key in transit. explorer produces the same fingerprint each time, so it doesn't look like it has been corrupted either. Eventually I decided to just add the certificate and see what happened. 3) Set up Outlook Express on both Windows 2000 and MacOS 9.1 to use pop.commerce.uk.net, and configured it to use SSL on port 995. 4) Created a new key, and sign it with the CA with the common name 'pop.commerce.uk.net': # openssl req -new -nodes -config openssl.conf -days 365 -keyout \ pop-key.pem -out pop-req.pem # openssl ca -config openssl.conf -policy policy_anything -in pop-req.pem \ -out pop-cert.pem 5) Concatenated pop-key.pem and pop-cert.pem into ipop3sd.pem (removing the text version), placing them on the POP server in /usr/lib/ssl/certs/, and created a link to it with the name of the hash: # cd /usr/lib/ssl/certs/ # ln -s ipop3sd.pem `openssl x509 -noout -hash ipop3sd.pem `.0 # ls -l lrwxrwxrwx1 root root 11 Oct 26 13:27 a37eafc7.0 - ipop3sd.pem -rw---1 root root 2376 Oct 26 02:01 ipop3sd.pem 6) Tested the setup with (long response indented): # openssl s_client -connect pop.commerce.uk.net:pop3s CONNECTED(0003) depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet Server/OU=Test SSL Certificate/CN=localhost verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet Server/OU=Test SSL Certificate/CN=localhost verify error:num=27:certificate not trusted verify return:1 depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet Server/OU=Test SSL Certificate/CN=localhost verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet Server/OU=Test SSL Certificate/CN=localhost i:/C=CA/ST=QC/L=Montreal/O=Advanced Extranet Server/OU=Secure Web Division/CN=Advanced Extranet [EMAIL PROTECTED] The Apache binary I'm using is from an RPM based on the Apache Advanced Extranet Server project - I'm not sure what this is doing here. I can't find a certificate for AAES anywhere, and certainly not in /usr/lib/ssl/certs/ Server certificate -BEGIN CERTIFICATE- MIICujCCAiMCAQEwDQYJKoZIhvcNAQEEBQAwgbsxCzAJBgNVBAYTAkNBMQswCQYD snip 4DHr8RxsPMpJktVBLB4HadC13ykLMVDMgJ88W39E -END CERTIFICATE- subject=/C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet Server/OU=Test SSL Certificate/CN=localhost issuer=/C=CA/ST=QC/L=Montreal/O=Advanced Extranet Server/OU=Secure Web Division/CN=Advanced Extranet [EMAIL PROTECTED] --- No client certificate CA names sent --- SSL handshake has read 856 bytes and written 320 bytes --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: DES-CBC3-SHA Session-ID: 6A6D0C3C40E1D4921514C5DB2EF475DD6454B84F7300980D53373906B3236C7C Session-ID-ctx: Master-Key: D467F520688186F34EF6984439B9FE3D01F2F23FEB6A4E721C2F33692CC39F864C2BA86C0AC5E0A343879B63ADB274E2 Key-Arg : None Start Time: 1004105856 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- +OK POP3 v2000.70mdk server ready [EMAIL PROTECTED] So it appears to be finding the certificate, but doesn't seem to know which CA authorised it. When I try the Outlook setup, I get a message saying The server you are connected to is using a security certificate that does not match its Internet address. When I googled for this message I found numerous people saying that this is because the common name on the certificate does not match the host name specified in the preferences - this is not the case here,
Re: Problems with pop3s on Outlook Express
As can be seen from your post, the certficate being sent does NOT have pop.commerce.uk.net as the common name (CN) of the Subject: the CN is 'localhost'. It appears to be some kind of canned test certificate and private key, but I'm not familiar enough with UW-IMAP to know if it comes with such a beast. Maybe you concatented the wrong files? == Greg Stark [EMAIL PROTECTED] == - Original Message - From: Corin Hartland-Swann [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, October 26, 2001 11:00 AM Subject: Problems with pop3s on Outlook Express Hi there, I have been trying to set up pop3s access using UW-IMAP. I am using Mandrake Linux 8.1, with UW-IMAP and OpenSSL installed as RPMs, so I don't think that there are any compilation problems. I hope that it is acceptable to post this to both the OpenSSL and the UW-IMAP mailing lists, as I'm not sure where the problem lies. I have already searched the archives for both lists to no avail. I have followed instructions from various sources and done the following: 1) Created a new CA, and exported the certificate as DER: # openssl req -new -x509 -config openssl.conf -keyout private/ca-key.pem \ -out certs/ca-cert.pem -days 365 # openssl x509 -in certs/ca-cert.pem -out certs/ca-cert.der -outform der 2) Imported the CA certificate into Explorer on Windows 2000, checked that it is listed and that the SHA1 thumbprint matches, and that it is enabled for Secure E-Mail. 3) Imported the CA certificate into Explorer on MacOS 9.1, and checked that it is listed. In this case, even after several attempts, the fingerprint listed by Explorer does not match any of the MD2, MD5, SHA1 or MDC2 fingerprints. I don't understand this, but am fairly sure that no-one is intercepting and replacing the key in transit. explorer produces the same fingerprint each time, so it doesn't look like it has been corrupted either. Eventually I decided to just add the certificate and see what happened. 3) Set up Outlook Express on both Windows 2000 and MacOS 9.1 to use pop.commerce.uk.net, and configured it to use SSL on port 995. 4) Created a new key, and sign it with the CA with the common name 'pop.commerce.uk.net': # openssl req -new -nodes -config openssl.conf -days 365 -keyout \ pop-key.pem -out pop-req.pem # openssl ca -config openssl.conf -policy policy_anything -in pop-req.pem \ -out pop-cert.pem 5) Concatenated pop-key.pem and pop-cert.pem into ipop3sd.pem (removing the text version), placing them on the POP server in /usr/lib/ssl/certs/, and created a link to it with the name of the hash: # cd /usr/lib/ssl/certs/ # ln -s ipop3sd.pem `openssl x509 -noout -hash ipop3sd.pem `.0 # ls -l lrwxrwxrwx1 root root 11 Oct 26 13:27 a37eafc7.0 - ipop3sd.pem -rw---1 root root 2376 Oct 26 02:01 ipop3sd.pem 6) Tested the setup with (long response indented): # openssl s_client -connect pop.commerce.uk.net:pop3s CONNECTED(0003) depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet Server/OU=Test SSL Certificate/CN=localhost verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet Server/OU=Test SSL Certificate/CN=localhost verify error:num=27:certificate not trusted verify return:1 depth=0 /C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet Server/OU=Test SSL Certificate/CN=localhost verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet Server/OU=Test SSL Certificate/CN=localhost i:/C=CA/ST=QC/L=Montreal/O=Advanced Extranet Server/OU=Secure Web Division/CN=Advanced Extranet [EMAIL PROTECTED] The Apache binary I'm using is from an RPM based on the Apache Advanced Extranet Server project - I'm not sure what this is doing here. I can't find a certificate for AAES anywhere, and certainly not in /usr/lib/ssl/certs/ Server certificate -BEGIN CERTIFICATE- MIICujCCAiMCAQEwDQYJKoZIhvcNAQEEBQAwgbsxCzAJBgNVBAYTAkNBMQswCQYD snip 4DHr8RxsPMpJktVBLB4HadC13ykLMVDMgJ88W39E -END CERTIFICATE- subject=/C=AU/ST=Some-State/L=Server Room/O=Advanced Extranet Server/OU=Test SSL Certificate/CN=localhost issuer=/C=CA/ST=QC/L=Montreal/O=Advanced Extranet Server/OU=Secure Web Division/CN=Advanced Extranet [EMAIL PROTECTED] --- No client certificate CA names sent --- SSL handshake has read 856 bytes and written 320 bytes --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: DES-CBC3-SHA Session-ID: 6A6D0C3C40E1D4921514C5DB2EF475DD6454B84F7300980D53373906B3236C7C Session-ID-ctx: Master-Key
Re: Problems with pop3s on Outlook Express
Hi Gregory, On Fri, 26 Oct 2001, Gregory Stark wrote: As can be seen from your post, the certficate being sent does NOT have pop.commerce.uk.net as the common name (CN) of the Subject: the CN is 'localhost'. It appears to be some kind of canned test certificate and private key, but I'm not familiar enough with UW-IMAP to know if it comes with such a beast. Maybe you concatented the wrong files? Thanks - I'm a newcomer to setting up SSL, and I didn't know what to look for in the s_client output. It turns out that there were existing pop3s and imaps certificates installed along with US-IMAP in the RPM, made out to localhost. This is somewhat braindead. What was even more braindead was that the location of the certificates had been changed from /usr/lib/ssl/certs to /usr/share/ssl/certs without updating the documentation. I've replaced the 'localhost' certificates with mine, and it now works fine on Windows 2000, and almost works with MacOS. When you hit Send Receive Mail on MacOS it prompts you for a password. I found a reference to this at http://ist.uwaterloo.ca/security/IST-CA/ IE5/Mac problems: Internet Explorer v5 for the Mac/Apple has several notable bugs -- it does not import our certificate properly (for reasons which escape us it wants to save it with a password which means every time you use it you need to recall that password). You should use Netscape on the Mac/Apple platform if you access secure pages protected by our certificate. 16-Feb-2001. I have successfully set it up with an empty password, and you just have to hit OK and it picks up the e-mail, but it's really annoying for our users. Does anyone know of any way to disable this? Could it be related in any way to this problem: 3) Imported the CA certificate into Explorer on MacOS 9.1, and checked that it is listed. In this case, even after several attempts, the fingerprint listed by Explorer does not match any of the MD2, MD5, SHA1 or MDC2 fingerprints. I don't understand this, but am fairly sure that no-one is intercepting and replacing the key in transit. explorer produces the same fingerprint each time, so it doesn't look like it has been corrupted either. Eventually I decided to just add the certificate and see what happened. And have you got any idea what this might be? Are there any other fingerprint types? Many Thanks, Corin /+-\ | Corin Hartland-Swann |Tel: +44 (0) 20 7491 2000| | Commerce Internet Ltd |Fax: +44 (0) 20 7491 2010| | 22 Cavendish Buildings | Mobile: +44 (0) 79 5854 0027| | Gilbert Street | | | Mayfair|Web: http://www.commerce.uk.net/ | | London W1K 5HJ | E-Mail: [EMAIL PROTECTED]| \+-/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
