Hoje, de repente, meus clientes de email Icedove (38.7.0) pararam de trabalhar usando o STARTTLS depois que eu renovei o certificado do servidor. O texto simples IMAP funciona bem.
O servidor registra STARTTLS negotiation failed
para cada tentativa de conexão TLS. A análise da conexão com o wireshark mostra que o cliente envia um alerta fatal de Certificado inválido como resposta ao Server Hello.
No entanto, openssl s_client -starttls imap -crlf -connect 'imap.example.com:143'-CAfile /etc/certs/cacert.pem
funciona bem. A CA é importada para o armazenamento de certificados do icedove, caso contrário, o icedove fecha com o Certificado desconhecido.
Atualmente, estou procurando meios para descobrir exatamente do que se queixa o iceweasel.
Atualização: Eu tive a ideia de importar o certificado como certificado do servidor imediatamente. A importação funcionou sem queixas e está registrada na loja do icedove. Mas o erro persiste.
Mais informações: descobri que o thunderbird pode gerar informações de depuração. Então eu tentei: NSPR_LOG_MODULES=all:5 NSPR_LOG_FILE=/tmp/icedove-imap.log icedove
. Os dados a seguir são enviados para o encadeamento que está executando a negociação TLS e redimensionados em torno da negociação real:
2001729280[7f047ae284c0]: ReadNextLine [stream=777e4b00 nb=16 needmore=0]
2001729280[7f047ae284c0]: 784a2000:imap.example.com:NA:CreateNewLineFromSocket: 1 OK Completed
2001729280[7f047ae284c0]: 784a2000:imap.example.com:NA:SendData: 2 STARTTLS
2001729280[7f047ae284c0]: OOO WriteSegments [this=79470ee0 count=12]
2001729280[7f047ae284c0]: OOO rolling back write cursor 14 bytes
2001729280[7f047ae284c0]: OOO advancing write cursor by 12
2001729280[7f047ae284c0]: STS dispatch [7f04777e4f10]
2001729280[7f047ae284c0]: THRD(7f048d802740) Dispatch [7f04777e4f10 0]
2001729280[7f047ae284c0]: EVENTQ(7f048d8027a8): notify
2001729280[7f047ae284c0]: III ReadSegments [this=777e4b00 count=4096]
2001729280[7f047ae284c0]: III pipe input: waiting for data
2001729280[7f047ae284c0]: III pipe input: woke up [status=0 available=32]
2001729280[7f047ae284c0]: III advancing read cursor by 32
2001729280[7f047ae284c0]: ReadNextLine [stream=777e4b00 nb=32 needmore=0]
2001729280[7f047ae284c0]: 784a2000:imap.example.com:NA:CreateNewLineFromSocket: 2 OK Begin TLS negotiation now
2001729280[7f047ae284c0]: 784a2000:imap.example.com:NA:SendData: 3 capability
2001729280[7f047ae284c0]: OOO WriteSegments [this=79470ee0 count=14]
2001729280[7f047ae284c0]: OOO rolling back write cursor 12 bytes
2001729280[7f047ae284c0]: OOO advancing write cursor by 14
2001729280[7f047ae284c0]: STS dispatch [7f04777e4f10]
2001729280[7f047ae284c0]: THRD(7f048d802740) Dispatch [7f04777e4f10 0]
2001729280[7f047ae284c0]: EVENTQ(7f048d8027a8): notify
2001729280[7f047ae284c0]: III ReadSegments [this=777e4b00 count=4096]
2001729280[7f047ae284c0]: III pipe input: waiting for data
2001729280[7f047ae284c0]: III pipe input: woke up [status=805a1f76 available=0]
2001729280[7f047ae284c0]: ReadNextLine [stream=777e4b00 nb=0 needmore=1]
2001729280[7f047ae284c0]: 784a2000:imap.example.com:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 805a1f76
2001729280[7f047ae284c0]: THRD(7f04a30fe690) Dispatch [7f047489c150 0]
2001729280[7f047ae284c0]: EVENTQ(7f04a30fe6f8): notify
2001729280[7f047ae284c0]: THRD(7f04a30fe690) Dispatch [7f0472bf71a0 0]
2001729280[7f047ae284c0]: EVENTQ(7f04a30fe6f8): notify
2001729280[7f047ae284c0]: 784a2000:imap.example.com:NA:TellThreadToDie: close socket connection
2001729280[7f047ae284c0]: 784a2000:imap.example.com:NA:CreateNewLineFromSocket: (null)
2001729280[7f047ae284c0]: destroying nsSocketTransport @7f047a5d4300
Mais uma vez, não é exatamente informativo para mim.
openssl log:
openssl s_client -connect imap.mgr:993 -CAfile /etc/certs/cacert.pem
CONNECTED(00000003)
depth=1 C = DE, ST = NRW, L = Niederkassel, O = \C2\B5AC - Microsystem Accessory Consult, OU = IT, CN = CA
verify return:1
depth=0 C = DE, ST = NRW, L = Niederkassel, O = \C2\B5AC - Microsystem Accessory Consult, OU = IT, CN = imap.uac.microsult.de
verify return:1
---
Certificate chain
0 s:/C=DE/ST=NRW/L=Niederkassel/O=\xC2\xB5AC - Microsystem Accessory Consult/OU=IT/CN=imap.uac.microsult.de
i:/C=DE/ST=NRW/L=Niederkassel/O=\xC2\xB5AC - Microsystem Accessory Consult/OU=IT/CN=CA
1 s:/C=DE/ST=NRW/L=Niederkassel/O=\xC2\xB5AC - Microsystem Accessory Consult/OU=IT/CN=CA
i:/C=DE/ST=NRW/L=Niederkassel/O=\xC2\xB5AC - Microsystem Accessory Consult/OU=IT/CN=CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFiTCCBHGgAwIBAgIJAJeD4N2BtJ69MA0GCSqGSIb3DQEBCwUAMHsxCzAJBgNV
BAYTAkRFMQwwCgYDVQQIEwNOUlcxFTATBgNVBAcTDE5pZWRlcmthc3NlbDEtMCsG
A1UECgwkwrVBQyAtIE1pY3Jvc3lzdGVtIEFjY2Vzc29yeSBDb25zdWx0MQswCQYD
VQQLEwJJVDELMAkGA1UEAxMCQ0EwHhcNMTYwMjIyMTEwOTAwWhcNMTcwMjIyMTEw
OTAwWjCBjjELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzEVMBMGA1UEBxMMTmll
ZGVya2Fzc2VsMS0wKwYDVQQKDCTCtUFDIC0gTWljcm9zeXN0ZW0gQWNjZXNzb3J5
IENvbnN1bHQxCzAJBgNVBAsTAklUMR4wHAYDVQQDExVpbWFwLnVhYy5taWNyb3N1
bHQuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUbl1Uc0oezPJ6
ftyp+5qbNS3yEt6Qe0cpjHk9IwPDn9kiX0NZ8CIv52oCB+t+s0BmPAgHGH9g4arp
+s5aMR8chV5y/rv6bkfHY31S/QI5Q+4bWn0ipjRj9U3BK31UQhub1JyTWCbXbHqq
s7FsFUVOIe2DVez9lohn/6ZySHM6+o9ZlP8NQ5ZZIa/dFDhjaJWy97116M61HLjD
YQ6BGgo7pEZyB/i4f38Y3ftsXoERisVOeAVQHh7T5wNRrxt7i1Y2t6GyT8de34QJ
ApfjUA9R+70kmAtW1oyCAFIHLbbl08kjSPx4eDydG4cwI96vRoZOuPJkWWQR6PEM
tv1Ptw+zAgMBAAGjggH6MIIB9jAJBgNVHRMEAjAAMB0GA1UdDgQWBBRMuM7J6zdu
9+ehb43kHCIZMX1thzCBrQYDVR0jBIGlMIGigBSo/BAZlg+Eaqtz4HLFQ+WBIpiI
7qF/pH0wezELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzEVMBMGA1UEBxMMTmll
ZGVya2Fzc2VsMS0wKwYDVQQKDCTCtUFDIC0gTWljcm9zeXN0ZW0gQWNjZXNzb3J5
IENvbnN1bHQxCzAJBgNVBAsTAklUMQswCQYDVQQDEwJDQYIJAJeD4N2BtJ6zMAsG
A1UdDwQEAwIF4DAqBgNVHSUEIzAhBggrBgEFBQcDAQYKKwYBBAGCNwoDAwYJYIZI
AYb4QgQBMBMGA1UdEQQMMAqCCGltYXAubWdyMCoGA1UdHwQjMCEwH6AdoBuGGWh0
dHA6Ly93d3cubWdyL2NhL21hYy5jcmwwEQYJYIZIAYb4QgEBBAQDAgZAMCgGCWCG
SAGG+EIBBAQbFhlodHRwOi8vd3d3Lm1nci9jYS9tYWMuY3JsMCwGCWCGSAGG+EIB
CAQfFh1odHRwOi8vd3d3Lm1nci9jYS9wb2xpY3kuaHRtbDA1BglghkgBhvhCAQ0E
KBYmTWljcm9zeXN0ZW0gQWNjZXNzb3J5IENvbnN1bHQgLSBTZXJ2ZXIwDQYJKoZI
hvcNAQELBQADggEBAKjWMNswngddgA/AxWAAiLghRPxKyQaoT0qm527M6JRidNYa
6q2BAzMFCDAptT/T2pDuvkuciA18ctUaM7RiUjRmzNov4E44R+wGHkkn84f5p2W5
6C3Zj0Ebja4wDK55ovpssMbO+c9mPjAz61z8dcGEnOK0m3RK5gPtRWzYMUq/FAET
Pes0oJrT2q8dU50B4PEMQHFYxXEWowo3qu0QVYoXqgNJtRubruqktQ6AZrQMiUhv
vCZhSkS5GMtBJVNSSwQ2XAPAAU+BZoHjStjdH5lKxKw0UbqCJEA7CDwaGybT4xqR
3yhEcTWFdWCiGK72WkJvtwIgFlW0Rly+nhtrUNA=
-----END CERTIFICATE-----
subject=/C=DE/ST=NRW/L=Niederkassel/O=\xC2\xB5AC - Microsystem Accessory Consult/OU=IT/CN=imap.uac.microsult.de
issuer=/C=DE/ST=NRW/L=Niederkassel/O=\xC2\xB5AC - Microsystem Accessory Consult/OU=IT/CN=CA
---
No client certificate CA names sent
---
SSL handshake has read 2967 bytes and written 615 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 730888566D757F19B38BF3CCD7A55CF44CBCD08B6763262CD36A2AA4230260DC
Session-ID-ctx:
Master-Key: 4DA397FA9EFF6EA3F2610291BFC3BDAA69DAA00F3B6787F06635F739A0D99EECCEFF715A3E22D66165E8CAADC968EEFD
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 9d e1 fe 6a cf df 22 86-e8 2e c4 8b 4c 90 49 76 ...j..".....L.Iv
0010 - e9 49 76 c9 4f 37 12 a3-4f b8 b5 44 18 e1 2b 64 .Iv.O7..O..D..+d
0020 - af 01 7a 21 c7 b2 f2 84-17 fb a7 4d aa c3 73 dc ..z!.......M..s.
0030 - 91 b2 c5 ef d9 d8 2e 0a-bd f8 57 20 da ba bb 02 ..........W ....
0040 - 1b a8 b1 21 0c f5 39 63-39 8c 90 51 48 3c 82 f2 ...!..9c9..QH<..
0050 - a5 33 21 2e 23 f8 99 9c-0e 6f d0 67 99 8c 52 7b .3!.#....o.g..R{
0060 - 23 7a 13 45 5a 68 63 51-e3 e0 b6 ce fb 19 fa b4 #z.EZhcQ........
0070 - 4b 6b 74 76 7d 5c 3d 55-83 a9 be 5a 11 46 65 14 Kktv}\=U...Z.Fe.
0080 - dc de 9b ae ce 45 5e d8-eb 46 83 b2 a5 7b f0 ae .....E^..F...{..
0090 - f3 fe 2f a5 e4 8c 71 fa-6f 3f 10 61 7e f0 45 c5 ../...q.o?.a~.E.
Start Time: 1459405125
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* OK hermod Cyrus IMAP4 v2.2.13-Debian-2.2.13-14+lenny3 server ready
a1 LOGOUT
* BYE LOGOUT received
a1 OK Completed
read:errno=0
Para STARTTLS em 143, o log não é diferente.