Thunderbird STARTTLS 无法连接到 Cyrus-IMAP 2.2.13

Thunderbird STARTTLS 无法连接到 Cyrus-IMAP 2.2.13

今天,在我更新服务器证书后,我的 Icedove 邮件客户端 (38.7.0) 突然停止使用 STARTTLS 工作。纯文本 IMAP 工作正常。

服务器记录STARTTLS negotiation failed每次 TLS 连接尝试。使用 wireshark 分析连接显示,客户端向 Server Hello 发送了致命的“错误证书”警报作为响应。

但是,openssl s_client -starttls imap -crlf -connect 'imap.example.com:143'-CAfile /etc/certs/cacert.pem运行正常。CA 已导入到 icedove 的证书存储中,否则 icedove 将以证书未知的形式关闭。

我目前正在寻找方法来查明 iceweasel 到底在抱怨什么。

更新:我立即想到将证书导入为服务器证书。导入过程没有任何问题,并且已在 icedove 商店中注册。但错误仍然存​​在。

更多信息:我发现 thunderbird 可以生成调试信息。所以我尝试了:NSPR_LOG_MODULES=all:5 NSPR_LOG_FILE=/tmp/icedove-imap.log icedove。针对执行 TLS 协商的线程,以下数据被 grep 出来,并根据实际协商进行修剪:

2001729280[7f047ae284c0]: ReadNextLine [stream=777e4b00 nb=16 needmore=0]
2001729280[7f047ae284c0]: 784a2000:imap.example.com:NA:CreateNewLineFromSocket: 1 OK Completed
2001729280[7f047ae284c0]: 784a2000:imap.example.com:NA:SendData: 2 STARTTLS
2001729280[7f047ae284c0]: OOO WriteSegments [this=79470ee0 count=12]
2001729280[7f047ae284c0]: OOO rolling back write cursor 14 bytes
2001729280[7f047ae284c0]: OOO advancing write cursor by 12
2001729280[7f047ae284c0]: STS dispatch [7f04777e4f10]
2001729280[7f047ae284c0]: THRD(7f048d802740) Dispatch [7f04777e4f10 0]
2001729280[7f047ae284c0]: EVENTQ(7f048d8027a8): notify
2001729280[7f047ae284c0]: III ReadSegments [this=777e4b00 count=4096]
2001729280[7f047ae284c0]: III pipe input: waiting for data
2001729280[7f047ae284c0]: III pipe input: woke up [status=0 available=32]
2001729280[7f047ae284c0]: III advancing read cursor by 32
2001729280[7f047ae284c0]: ReadNextLine [stream=777e4b00 nb=32 needmore=0]
2001729280[7f047ae284c0]: 784a2000:imap.example.com:NA:CreateNewLineFromSocket: 2 OK Begin TLS negotiation now
2001729280[7f047ae284c0]: 784a2000:imap.example.com:NA:SendData: 3 capability
2001729280[7f047ae284c0]: OOO WriteSegments [this=79470ee0 count=14]
2001729280[7f047ae284c0]: OOO rolling back write cursor 12 bytes
2001729280[7f047ae284c0]: OOO advancing write cursor by 14
2001729280[7f047ae284c0]: STS dispatch [7f04777e4f10]
2001729280[7f047ae284c0]: THRD(7f048d802740) Dispatch [7f04777e4f10 0]
2001729280[7f047ae284c0]: EVENTQ(7f048d8027a8): notify
2001729280[7f047ae284c0]: III ReadSegments [this=777e4b00 count=4096]
2001729280[7f047ae284c0]: III pipe input: waiting for data
2001729280[7f047ae284c0]: III pipe input: woke up [status=805a1f76 available=0]
2001729280[7f047ae284c0]: ReadNextLine [stream=777e4b00 nb=0 needmore=1]
2001729280[7f047ae284c0]: 784a2000:imap.example.com:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 805a1f76
2001729280[7f047ae284c0]: THRD(7f04a30fe690) Dispatch [7f047489c150 0]
2001729280[7f047ae284c0]: EVENTQ(7f04a30fe6f8): notify
2001729280[7f047ae284c0]: THRD(7f04a30fe690) Dispatch [7f0472bf71a0 0]
2001729280[7f047ae284c0]: EVENTQ(7f04a30fe6f8): notify
2001729280[7f047ae284c0]: 784a2000:imap.example.com:NA:TellThreadToDie: close socket connection
2001729280[7f047ae284c0]: 784a2000:imap.example.com:NA:CreateNewLineFromSocket: (null)
2001729280[7f047ae284c0]: destroying nsSocketTransport @7f047a5d4300

再说一遍,这对我来说没有太多信息。

openssl 日志:

openssl s_client -connect imap.mgr:993 -CAfile /etc/certs/cacert.pem 
CONNECTED(00000003)
depth=1 C = DE, ST = NRW, L = Niederkassel, O = \C2\B5AC - Microsystem Accessory Consult, OU = IT, CN = CA
verify return:1
depth=0 C = DE, ST = NRW, L = Niederkassel, O = \C2\B5AC - Microsystem Accessory Consult, OU = IT, CN = imap.uac.microsult.de
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=NRW/L=Niederkassel/O=\xC2\xB5AC - Microsystem Accessory Consult/OU=IT/CN=imap.uac.microsult.de
   i:/C=DE/ST=NRW/L=Niederkassel/O=\xC2\xB5AC - Microsystem Accessory Consult/OU=IT/CN=CA
 1 s:/C=DE/ST=NRW/L=Niederkassel/O=\xC2\xB5AC - Microsystem Accessory Consult/OU=IT/CN=CA
   i:/C=DE/ST=NRW/L=Niederkassel/O=\xC2\xB5AC - Microsystem Accessory Consult/OU=IT/CN=CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFiTCCBHGgAwIBAgIJAJeD4N2BtJ69MA0GCSqGSIb3DQEBCwUAMHsxCzAJBgNV
BAYTAkRFMQwwCgYDVQQIEwNOUlcxFTATBgNVBAcTDE5pZWRlcmthc3NlbDEtMCsG
A1UECgwkwrVBQyAtIE1pY3Jvc3lzdGVtIEFjY2Vzc29yeSBDb25zdWx0MQswCQYD
VQQLEwJJVDELMAkGA1UEAxMCQ0EwHhcNMTYwMjIyMTEwOTAwWhcNMTcwMjIyMTEw
OTAwWjCBjjELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzEVMBMGA1UEBxMMTmll
ZGVya2Fzc2VsMS0wKwYDVQQKDCTCtUFDIC0gTWljcm9zeXN0ZW0gQWNjZXNzb3J5
IENvbnN1bHQxCzAJBgNVBAsTAklUMR4wHAYDVQQDExVpbWFwLnVhYy5taWNyb3N1
bHQuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUbl1Uc0oezPJ6
ftyp+5qbNS3yEt6Qe0cpjHk9IwPDn9kiX0NZ8CIv52oCB+t+s0BmPAgHGH9g4arp
+s5aMR8chV5y/rv6bkfHY31S/QI5Q+4bWn0ipjRj9U3BK31UQhub1JyTWCbXbHqq
s7FsFUVOIe2DVez9lohn/6ZySHM6+o9ZlP8NQ5ZZIa/dFDhjaJWy97116M61HLjD
YQ6BGgo7pEZyB/i4f38Y3ftsXoERisVOeAVQHh7T5wNRrxt7i1Y2t6GyT8de34QJ
ApfjUA9R+70kmAtW1oyCAFIHLbbl08kjSPx4eDydG4cwI96vRoZOuPJkWWQR6PEM
tv1Ptw+zAgMBAAGjggH6MIIB9jAJBgNVHRMEAjAAMB0GA1UdDgQWBBRMuM7J6zdu
9+ehb43kHCIZMX1thzCBrQYDVR0jBIGlMIGigBSo/BAZlg+Eaqtz4HLFQ+WBIpiI
7qF/pH0wezELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzEVMBMGA1UEBxMMTmll
ZGVya2Fzc2VsMS0wKwYDVQQKDCTCtUFDIC0gTWljcm9zeXN0ZW0gQWNjZXNzb3J5
IENvbnN1bHQxCzAJBgNVBAsTAklUMQswCQYDVQQDEwJDQYIJAJeD4N2BtJ6zMAsG
A1UdDwQEAwIF4DAqBgNVHSUEIzAhBggrBgEFBQcDAQYKKwYBBAGCNwoDAwYJYIZI
AYb4QgQBMBMGA1UdEQQMMAqCCGltYXAubWdyMCoGA1UdHwQjMCEwH6AdoBuGGWh0
dHA6Ly93d3cubWdyL2NhL21hYy5jcmwwEQYJYIZIAYb4QgEBBAQDAgZAMCgGCWCG
SAGG+EIBBAQbFhlodHRwOi8vd3d3Lm1nci9jYS9tYWMuY3JsMCwGCWCGSAGG+EIB
CAQfFh1odHRwOi8vd3d3Lm1nci9jYS9wb2xpY3kuaHRtbDA1BglghkgBhvhCAQ0E
KBYmTWljcm9zeXN0ZW0gQWNjZXNzb3J5IENvbnN1bHQgLSBTZXJ2ZXIwDQYJKoZI
hvcNAQELBQADggEBAKjWMNswngddgA/AxWAAiLghRPxKyQaoT0qm527M6JRidNYa
6q2BAzMFCDAptT/T2pDuvkuciA18ctUaM7RiUjRmzNov4E44R+wGHkkn84f5p2W5
6C3Zj0Ebja4wDK55ovpssMbO+c9mPjAz61z8dcGEnOK0m3RK5gPtRWzYMUq/FAET
Pes0oJrT2q8dU50B4PEMQHFYxXEWowo3qu0QVYoXqgNJtRubruqktQ6AZrQMiUhv
vCZhSkS5GMtBJVNSSwQ2XAPAAU+BZoHjStjdH5lKxKw0UbqCJEA7CDwaGybT4xqR
3yhEcTWFdWCiGK72WkJvtwIgFlW0Rly+nhtrUNA=
-----END CERTIFICATE-----
subject=/C=DE/ST=NRW/L=Niederkassel/O=\xC2\xB5AC - Microsystem Accessory Consult/OU=IT/CN=imap.uac.microsult.de
issuer=/C=DE/ST=NRW/L=Niederkassel/O=\xC2\xB5AC - Microsystem Accessory Consult/OU=IT/CN=CA
---
No client certificate CA names sent
---
SSL handshake has read 2967 bytes and written 615 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 730888566D757F19B38BF3CCD7A55CF44CBCD08B6763262CD36A2AA4230260DC
    Session-ID-ctx: 
    Master-Key: 4DA397FA9EFF6EA3F2610291BFC3BDAA69DAA00F3B6787F06635F739A0D99EECCEFF715A3E22D66165E8CAADC968EEFD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - 9d e1 fe 6a cf df 22 86-e8 2e c4 8b 4c 90 49 76   ...j..".....L.Iv
    0010 - e9 49 76 c9 4f 37 12 a3-4f b8 b5 44 18 e1 2b 64   .Iv.O7..O..D..+d
    0020 - af 01 7a 21 c7 b2 f2 84-17 fb a7 4d aa c3 73 dc   ..z!.......M..s.
    0030 - 91 b2 c5 ef d9 d8 2e 0a-bd f8 57 20 da ba bb 02   ..........W ....
    0040 - 1b a8 b1 21 0c f5 39 63-39 8c 90 51 48 3c 82 f2   ...!..9c9..QH<..
    0050 - a5 33 21 2e 23 f8 99 9c-0e 6f d0 67 99 8c 52 7b   .3!.#....o.g..R{
    0060 - 23 7a 13 45 5a 68 63 51-e3 e0 b6 ce fb 19 fa b4   #z.EZhcQ........
    0070 - 4b 6b 74 76 7d 5c 3d 55-83 a9 be 5a 11 46 65 14   Kktv}\=U...Z.Fe.
    0080 - dc de 9b ae ce 45 5e d8-eb 46 83 b2 a5 7b f0 ae   .....E^..F...{..
    0090 - f3 fe 2f a5 e4 8c 71 fa-6f 3f 10 61 7e f0 45 c5   ../...q.o?.a~.E.

    Start Time: 1459405125
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK hermod Cyrus IMAP4 v2.2.13-Debian-2.2.13-14+lenny3 server ready
a1 LOGOUT
* BYE LOGOUT received
a1 OK Completed
read:errno=0

对于 143 上的 STARTTLS,日志没有什么不同。

答案1

检查客户端配置中的域。

  • 它需要与证书上的域名匹配。
  • 检查客户端上域的DNS解析。

最近,服务器和客户端软件都进行了一些更改,旨在解决 SSL/TLS 漏洞问题。其中一个可能正在引发问题。如果您的证书只有 SHA-1 签名,这可能会导致其被拒绝。

相关内容