Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Bug#502361: courier-imap-ssl package breaks SSL on upgrade; hashed certs culprit.

2 views

Skip to first unread message

Sam Vilain

unread,

Oct 15, 2008, 6:40:09 PM10/15/08

Package: courier-imap-ssl
Version: 4.4.0-2
Severity: important

Hi,

I just upgraded to lenny and found that my imap SSL connection no
longer works.

maia:~$ telnet -z ssl mail.utsl.gen.nz 993
Trying 202.78.240.73...
SSL_connect: Success
maia:~$

In Evolution this manifested as "Error while Refreshing folder", and
clicking on the little alert triangle that appears in the bottom left
it then says "Server unexpectedly disconnected: Input/output error"

I downgraded to the etch courier-imap-ssl package, then re-upgraded,
keeping the old config file - which worked. I eventually worked out
that the new TLS_TRUSTCERTS option was triggering the issue.

Also, I saw this error message in /var/log/mail.log:

Oct 16 11:12:49 mail imapd-ssl: couriertls: connect: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table

Removing the /var/lib/courier/couriersslcache file did not resolve
this, however removing all of the hashed certs in /usr/lib/ssl/certs
fixed it.

maia:~$ telnet -z ssl mail.utsl.gen.nz 993
Trying 202.78.240.73...
Connected to mail.utsl.gen.nz.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information.
^]
telnet> close
maia:~$

Workarounds:

1. remove hashed certificates in /usr/lib/ssl/certs

rm /usr/lib/ssl/certs/[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]*

2. disable TLS_TRUSTCERTS in /etc/courier/imapd-ssl

-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.16.x
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages courier-imap-ssl depends on:
di courier-imap 4.4.0-2 Courier mail server - IMAP server
ii courier-ssl 0.60.0-2 Courier mail server - SSL/TLS Supp
ii openssl 0.9.8g-13 Secure Socket Layer (SSL) binary a

courier-imap-ssl recommends no packages.

Versions of packages courier-imap-ssl suggests:
pn courier-doc <none> (no description available)
ii mutt [imap-client] 1.5.18-4 text-based mailreader supporting M

-- no debconf information

--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

0 new messages