Menu
▾
▴
isync-devel
|
From: Anthony D. <th...@no...> - 2014-11-01 02:18:00
|
I'm getting this error when I try to run mbsync:
---
$ mbsync -c /mail/config/mbsyncrc-proc proc
Reading configuration file /mail/config/mbsyncrc-proc
Channel proc
Opening master procremote...
Resolving mail.mysite.com... ok
Connecting to mail.mysite.com (W.X.Y.Z:993)...
Opening slave local...
Error, certificate owner does not match hostname mail.mysite.com
---
Here is my config file:
---
Expunge None
Create Slave
MaildirStore local
Path /mail/data/
IMAPStore procremote
Host mail.mysite.com
User pr...@my...
Pass secret password...
Port 993
UseIMAPS yes
RequireSSL yes
CertificateFile /mail/certs/mail.mysite.com
Channel proc
Master :procremote:
Slave :local:proc
Sync Pull
---
My cert (which I exported from Thunderbird where it does work) is actually
named *.mail.myhostingco.com -- I guess that's the problem? There's another
thread about this, but with no real resolution:
http://sourceforge.net/p/isync/mailman/message/32626652/
What can I do?
Thanks,
--
Anthony DiSante
|
|
From: Oswald B. <osw...@gm...> - 2014-11-01 10:45:51
|
On Fri, Oct 31, 2014 at 10:17:48PM -0400, Anthony DiSante wrote: > Connecting to mail.mysite.com (W.X.Y.Z:993)... > Error, certificate owner does not match hostname mail.mysite.com > > What can I do? > continue where the thread you linked ended? |
|
From: Anthony D. <th...@no...> - 2014-11-01 15:44:45
|
On 11/01/2014 06:45 AM, Oswald Buddenhagen wrote: > On Fri, Oct 31, 2014 at 10:17:48PM -0400, Anthony DiSante wrote: >> Connecting to mail.mysite.com (W.X.Y.Z:993)... >> Error, certificate owner does not match hostname mail.mysite.com >> >> What can I do? >> > continue where the thread you linked ended? > Well, based on your comments in that thread, I didn't know if perhaps this ended up being a bug, or you learned something else about it in the meantime. But I did try your openssl suggestion as well. The -verbose flag returns an "unknown option" error. Without -verbose, and without specifying a cert, it appears to connect successfully (though mentions a self-signed cert error) and drops me at a prompt: _____ $ openssl s_client -connect mail.mysite.com:993 CONNECTED(00000003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- ... --- No client certificate CA names sent --- SSL handshake has read 6188 bytes and written 411 bytes --- ... --- * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. _____ But when I specify my cert, it fails to connect: _____ $ openssl s_client -connect mail.mysite.com:993 -cert /mail/certs/mail.mysite.com unable to load client certificate private key file 140542267004576:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY _____ But to my knowledge, I don't have a private key file; I've never entered one into my Thunderbird nor OfflineIMAP configurations? Thanks, -- Anthony DiSante |
|
From: Evgeniy B. <bi...@pr...> - 2014-11-01 17:29:42
|
On Sat, Nov 01, 2014 at 11:44:34AM -0400, Anthony DiSante wrote: > > But when I specify my cert, it fails to connect: > > _____ > > $ openssl s_client -connect mail.mysite.com:993 -cert /mail/certs/mail.mysite.com > unable to load client certificate private key file > 140542267004576:error:0906D06C:PEM routines:PEM_read_bio:no start > line:pem_lib.c:696:Expecting: ANY PRIVATE KEY > _____ > > > But to my knowledge, I don't have a private key file; I've never entered one > into my Thunderbird nor OfflineIMAP configurations? Certificates in TLS/SSL can be exchanged in both directions, you've got the wrong one. The -cert option for openssl means "certificate that used by client for authentication to server", it requires the client's private key. But isync/mbsync CertificateFile configuration statement has completely different meaning: this is a list of valid server's certificates. In breif, this file should contain the server's certificate, which is shown by s_client after successful connect. I suspect CertificateFile can contain CA certificate instead of server's one, but documentation is not clean here. -- Eugene Berdnikov |
|
From: Oswald B. <osw...@gm...> - 2014-11-01 20:50:11
|
On Sat, Nov 01, 2014 at 11:44:34AM -0400, Anthony DiSante wrote: > $ openssl s_client -connect mail.mysite.com:993 -cert /mail/certs/mail.mysite.com > unable to load client certificate private key file > 140542267004576:error:0906D06C:PEM routines:PEM_read_bio:no start > line:pem_lib.c:696:Expecting: ANY PRIVATE KEY > _____ > > > But to my knowledge, I don't have a private key file; I've never entered one > into my Thunderbird nor OfflineIMAP configurations? > you need to use -CAfile, not -cert. |
|
From: Anthony D. <th...@no...> - 2014-11-01 22:49:13
|
On 11/01/2014 04:50 PM, Oswald Buddenhagen wrote: > On Sat, Nov 01, 2014 at 11:44:34AM -0400, Anthony DiSante wrote: >> $ openssl s_client -connect mail.mysite.com:993 -cert /mail/certs/mail.mysite.com >> unable to load client certificate private key file >> 140542267004576:error:0906D06C:PEM routines:PEM_read_bio:no start >> line:pem_lib.c:696:Expecting: ANY PRIVATE KEY >> _____ >> >> >> But to my knowledge, I don't have a private key file; I've never entered one >> into my Thunderbird nor OfflineIMAP configurations? >> > you need to use -CAfile, not -cert. > > I tried -CAfile too: it gives the same result as specifying no cert, except without the initial "verify error:num=19:self signed cert" error. I gather that's probably important, but it still just drops me at the same prompt at the end. _____ $ openssl s_client -connect mail.mysite.com:993 -CAfile /mail/certs/mail.mysite.com CONNECTED(00000003) depth=3 C = SE, O = ... verify return:1 depth=2 C = US, ST = ... verify return:1 depth=1 C = US, O = ... verify return:1 depth=0 C = US, postal... verify return:1 --- ... --- subject=/C=US/[...]/CN=*.mail.myhostingco.com ... --- No client certificate CA names sent --- SSL handshake has read 6209 bytes and written 427 bytes --- ... --- * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. _____ Of course, if any of the long lines/big blocks that I've truncated to "..." are actually relevant, let me know and I'll post them too (Certificate chain, Server certificate, subject, and SSL-Session data). Thanks, -- Anthony DiSante |
|
From: Oswald B. <osw...@gm...> - 2014-11-02 09:20:05
|
On Sat, Nov 01, 2014 at 06:49:02PM -0400, Anthony DiSante wrote: > I tried -CAfile too: it gives the same result as specifying no cert, except > without the initial "verify error:num=19:self signed cert" error. I gather > that's probably important, > yes, it is. > Of course, if any of the long lines/big blocks that I've truncated to "..." > are actually relevant, let me know and I'll post them too (Certificate chain, > Server certificate, subject, and SSL-Session data). > i don't expect any of that to be relevant for the investigation. but anyway, let's take this off-list. please tell me the real hostnames, and attach the cert, so i can do real debugging. |
|
From: Oswald B. <osw...@gm...> - 2014-11-03 09:28:08
|
On Sun, Nov 02, 2014 at 10:19:41AM +0100, Oswald Buddenhagen wrote: > but anyway, let's take this off-list. please tell me the real hostnames, > and attach the cert, so i can do real debugging. > there is a genuine bug in mbsync - i made a somewhat too optimistic assumption about how openssl manages its certificate store. fix is upcoming, but not before the next weekend. |
|
From: Anthony D. <th...@no...> - 2015-01-19 23:35:38
|
On 11/03/2014 04:27 AM, Oswald Buddenhagen wrote: > On Sun, Nov 02, 2014 at 10:19:41AM +0100, Oswald Buddenhagen wrote: > > there is a genuine bug in mbsync - i made a somewhat too optimistic > assumption about how openssl manages its certificate store. fix is > upcoming, but not before the next weekend. > I just installed v1.1.2, and the fix does solve my problem. Thanks! -- Anthony DiSante |
|
From: Oswald B. <os...@us...> - 2014-11-08 13:05:15
|
commit 6f7d416bb80bda2c48243628527831c0966fe8bb
Author: Oswald Buddenhagen <os...@us...>
Date: Sat Nov 8 13:50:59 2014 +0100
fix acceptance of trusted SSL certs
we should make no assumptions about the layout of OpenSSL's certificate
store, in particular when they are wrong. so copy the interesting part
instead of "deep-linking" into it.
this code is uglier than it should be, but OpenSSL's extensive use of
macros to manage data types would force us to include the ssl headers
into our headers otherwise, which would be even uglier.
REFMAIL: <545...@no...>
src/socket.c | 8 ++++----
src/socket.h | 3 ++-
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/src/socket.c b/src/socket.c
index f47e375..fc06f8b 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -178,11 +178,11 @@ ssl_verify_callback( int ok, X509_STORE_CTX *ctx )
if (!conn->force_trusted) {
X509 *cert = sk_X509_value( ctx->chain, 0 );
- STACK_OF(X509_OBJECT) *trusted = ctx->ctx->objs;
- unsigned i;
+ STACK_OF(X509_OBJECT) *trusted = (STACK_OF(X509_OBJECT) *)conn->conf->trusted_certs;
+ int i;
conn->force_trusted = -1;
- for (i = 0; i < conn->conf->num_trusted; i++) {
+ for (i = 0; i < sk_X509_OBJECT_num( trusted ); i++) {
if (!X509_cmp( cert, sk_X509_OBJECT_value( trusted, i )->data.x509 )) {
conn->force_trusted = 1;
break;
@@ -227,7 +227,7 @@ init_ssl_ctx( const server_conf_t *conf )
conf->cert_file, ERR_error_string( ERR_get_error(), 0 ) );
return 0;
}
- mconf->num_trusted = sk_X509_OBJECT_num( SSL_CTX_get_cert_store( mconf->SSLContext )->objs );
+ mconf->trusted_certs = (_STACK *)sk_X509_OBJECT_dup( SSL_CTX_get_cert_store( mconf->SSLContext )->objs );
if (!SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
warn( "Warning: Unable to load default certificate files: %s\n",
ERR_error_string( ERR_get_error(), 0 ) );
diff --git a/src/socket.h b/src/socket.h
index 1545b39..193330e 100644
--- a/src/socket.h
+++ b/src/socket.h
@@ -27,6 +27,7 @@
typedef struct ssl_st SSL;
typedef struct ssl_ctx_st SSL_CTX;
+typedef struct stack_st _STACK;
typedef struct server_conf {
char *tunnel;
@@ -39,7 +40,7 @@ typedef struct server_conf {
/* these are actually variables and are leaked at the end */
char ssl_ctx_valid;
- unsigned num_trusted;
+ _STACK *trusted_certs;
SSL_CTX *SSLContext;
#endif
} server_conf_t;
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X