cyrus doesn't provide whole ssl chain

Jan Kowalsky jankow at datenkollektiv.net
Tue Oct 6 14:01:01 CEST 2015


Hi all,

I've a problem with configuring ssl on cyrus. We have a company root
certificate with an intermediate certificate. The server certificates
are issued from the intermediate certificate.

I configured cyrus the following way:

tls_server_cert: /etc/ssl/certs/mail.example.org_public_cert.pem
tls_server_key: /etc/ssl/private/mail.example.org_private_key.pem
tls_server_ca_file: /etc/ssl/certs/example.org.ca-chain.pem

The ca_file includes the concatenation from the root cert and the
intermediate cert.

We used e.g. Thunderbird 31 lts with no problems. But with a newer
version (38) the server certificate isn't trusted any more even if the
root cert is installed.

The same certificates and the certificate chain with apache2 works.

Investigated the situation with s_client I noticed that the chain,
apache2 and cyrus provide differs:

with openssl s_client -showcerts -connect mail.example.org:443

I see the whole chain with three certificates in it, while with

openssl s_client -showcerts -connect mail.example.org:993

I get see only one certificate: The server certificate and get the error
code 21.

Any Idea?

Thanks and best regards
Jan



The whole log output from s_client is below (certificate code cutted)

------------- SSL on Port 993 -----------------------

openssl s_client -showcerts -connect mail.example.org:993
CONNECTED(00000003)
depth=0 O = example.org, O = http://www.example.org, OU = Certification
Unit, CN = mail.example.org, emailAddress = kontakt at example.org, L =
City, ST = Germany, C = DE
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = example.org, O = http://www.example.org, OU = Certification
Unit, CN = mail.example.org, emailAddress = kontakt at example.org, L =
City, ST = Germany, C = DE
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = example.org, O = http://www.example.org, OU = Certification
Unit, CN = mail.example.org, emailAddress = kontakt at example.org, L =
City, ST = Germany, C = DE
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/O=example.org/O=http://www.example.org/OU=Certification
Unit/CN=mail.example.org/emailAddress=kontakt at example.org/L=City/ST=Germany/C=DE
   i:/O=example.org/O=http://www.example.org/OU=Certification
Unit/CN=example.org Intermediate CA
1/emailAddress=kontakt at example.org/L=City/ST=Germany/C=DE
-----BEGIN CERTIFICATE-----
MIIJrjCCB5agAwIBAgIQCFew/kv9HHWccD5NohK+rDANBgkqhkiG9w0BAQsFADCB
....   SERVER-CERT-DATA
dyZVKoAvSKCRweIapD+z5/XPl1p3427u5lb13taG1XMkbg==
-----END CERTIFICATE-----
---
Server certificate
subject=/O=example.org/O=http://www.example.org/OU=Certification
Unit/CN=mail.example.org/emailAddress=kontakt at example.org/L=City/ST=Germany/C=DE
issuer=/O=example.org/O=http://www.example.org/OU=Certification
Unit/CN=example.org Intermediate CA
1/emailAddress=kontakt at example.org/L=City/ST=Germany/C=DE
---
No client certificate CA names sent
---
SSL handshake has read 3141 bytes and written 424 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
618F892F0DD5B36A8BD1749FF8E68077DB51169A3C730A32A6B2B54AD5C7ED15
    Session-ID-ctx:
    Master-Key:
2259291B73111A0A8E5F37310A4875A7ADCF49D7C3B83DCC4CA890182858F1D1E8F6C5F831CB2525B5A0B5090207E52B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - a4 e4 6a ae 9e 0c 9c 6e-fe da 64 08 29 a0 31 35
..j....n..d.).15
...
    0090 - fe a9 29 e9 d9 06 65 01-18 13 2c e6 0f de 81 12
..)...e...,.....

    Start Time: 1444131838
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---


------------- SSL on Port 443 -----------------------

openssl s_client -showcerts -connect mail.example.org:443
CONNECTED(00000003)
depth=2 O = example.org, O = http://www.example.org, OU = Certification
Unit, CN = example.org Root CA, emailAddress = kontakt at example.org, L =
City, C = DE, ST = Germany
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/O=example.org/O=http://www.example.org/OU=Certification
Unit/CN=mail.example.org/emailAddress=kontakt at example.org/L=City/ST=Germany/C=DE
   i:/O=example.org/O=http://www.example.org/OU=Certification
Unit/CN=example.org Intermediate CA
1/emailAddress=kontakt at example.org/L=City/ST=Germany/C=DE
-----BEGIN CERTIFICATE-----
MIIJrjCCB5agAwIBAgIQCFew/kv9HHWccD5NohK+rDANBgkqhkiG9w0BAQsFADCB
....   SERVER-CERT-DATA
dyZVKoAvSKCRweIapD+z5/XPl1p3427u5lb13taG1XMkbg==
-----END CERTIFICATE-----
 1 s:/O=example.org/O=http://www.example.org/OU=Certification
Unit/CN=example.org Root
CA/emailAddress=kontakt at example.org/L=City/C=DE/ST=Germany
   i:/O=example.org/O=http://www.example.org/OU=Certification
Unit/CN=example.org Root
CA/emailAddress=kontakt at example.org/L=City/C=DE/ST=Germany
-----BEGIN CERTIFICATE-----
MIIHrDCCBZSgAwIBAgIJAL+sWB7qkwEcMA0GCSqGSIb3DQEBCwUAMIHjMRswGQYD
....   ROOT-CA-CERT-DATA
c2OCMgkHSvvkDdMsRPog6a7sDwX3f90iV44sgwq3BpU9ZPOs9ECetgBSbij+xLGL
-----END CERTIFICATE-----
 2 s:/O=example.org/O=http://www.example.org/OU=Certification
Unit/CN=example.org Intermediate CA
1/emailAddress=kontakt at example.org/L=City/ST=Germany/C=DE
   i:/O=example.org/O=http://www.example.org/OU=Certification
Unit/CN=example.org Root
CA/emailAddress=kontakt at example.org/L=City/C=DE/ST=Germany
-----BEGIN CERTIFICATE-----
MIIIXzCCBkegAwIBAgIRAJA1S62Ds40li87bNNJ0t5MwDQYJKoZIhvcNAQELBQAw
....   INTERMEDIATE-CA-CERT-DATA
LuZq9CojdgseyaKEYOsM/BdVIAQtCuy+ibPYOVX8u9GRpIw=
-----END CERTIFICATE-----
---
Server certificate
subject=/O=example.org/O=http://www.example.org/OU=Certification
Unit/CN=mail.example.org/emailAddress=kontakt at example.org/L=City/ST=Germany/C=DE
issuer=/O=example.org/O=http://www.example.org/OU=Certification
Unit/CN=example.org Intermediate CA
1/emailAddress=kontakt at example.org/L=City/ST=Germany/C=DE
---
No client certificate CA names sent
---
SSL handshake has read 7294 bytes and written 424 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
51B24ACCAFEE4D8AA275B5F033566BF5ACEF50B1D0CBEBDF15ADD9542927545E
    Session-ID-ctx:
    Master-Key:
DBE4EB0B00700750235DA771E453DF7ED975018745D80C6816B33A94793D1BF9279DA0932E91B5AD8092E477F294B14F
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - cb 6e f7 52 03 4e f6 cc-03 e9 ae 3a 6f 6a 55 ff
.n.R.N.....:ojU.
    ...
    00b0 - 11 6e 5e de fd da ce 7a-b5 54 1a 48 37 f7 23 45
.n^....z.T.H7.#E

    Start Time: 1444131495
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)


More information about the users mailing list