Oct 102013
 

Following on from the StartCOM verus Apple issues I mentioned yesterday, I have created a new 4K certificate from StartCOM. Apple has no problem with that certificate.

I was in the process of setting up some test servers:

  1. Dovecot with a 2048-bit cert
  2. Dovecot with a 4096-bit cert
  3. Cyrus with a 2048-bit cert
  4. Cyrus with a 4096-bit cert

I started with Dovecot and was testing each one as I set it up.

As expected, the 2048-bit cert worked.

Unexpectedly, so did the newly created 4096-bit cert in the langille.org domain.

Confused, I compare the two dovecot configuration files. They were the same but for address and certificate related files.

In both cases, the ssl_cert paramer pointed to a file which was constructed by a command like this:

cat imaps.unixathome.org.crt sub.class2.server.ca.pem ca.pem > imaps.crt

Here is the connection for the 4098 bit cert which fails:

$ openssl s_client -CAfile /usr/local/share/certs/ca-root-nss.crt -connect dovecot4096.langille.org:993
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify return:1
depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
verify return:1
depth=0 /description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmaster@unixathome.org
verify return:1
---
Certificate chain
 0 s:/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmaster@unixathome.org
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHsjCCBpqgAwIBAgIDAaiZMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MiBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTMxMDA2MTIzODI3
WhcNMTUxMDA2MjA1NzI4WjCBsjEZMBcGA1UEDRMQVndoZEppMHNMSFAzQkR0UTEL
MAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEOMAwGA1UEBxMFTWVk
aWExGDAWBgNVBAoTD0RhbmllbCBMYW5naWxsZTEdMBsGA1UEAxMUaW1hcHMudW5p
eGF0aG9tZS5vcmcxKDAmBgkqhkiG9w0BCQEWGXBvc3RtYXN0ZXJAdW5peGF0aG9t
ZS5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQLgy4N8rCnhZS5t
uwA0/4gTmMNdNflfwUgWGGUoeOC3qcodt2EitcnuhLfvDJORrpZtxKYYK0SMAlJt
RHg+DTp+9mSCicDWjoxOcc1WbUUkAiFdkL155LtMEd2xSB/NaEbjeone86ln5erz
4BLJqiaaubOkhAwXrJy/Owfp6RUbqEKUToGI1bF+q5EFFGqh3rO7/3Gpx0qihScx
6sGa04CgqhT0G6JOw6zJ5zJE0PSX4U/S7nAJCA/ktXNU3v23Jd+RYIOqrmuyHnf6
dISQH8HQKr83L3D3Yq64GCadvf0Nv/xrxc/4UO2mpiZlZppf+8Q+vTgfwl98OH62
mqdUM8hspGMAtRGmt8ccB73ukmqHvY9QJEGNNvx181VlTTcAygi/R5LiEtwFewAj
Zk4QvC4O3O3Rxl6VKfEgmoO93EXFfbVylv7MQqs6NKGeIdMgBpcxdsrlXo8ofVCz
uIQvJV8G8mlejP/RstZAoGxtUP5BRrLbcke3q77l6d6DYrTAhb7SgxP31AYrSknj
I+sCNb5IJvrrZe9lZt8OYlm3Yog8wjiTCgeBlytes7L95Dr0Xn8jZk4Dzg59HbO4
AIlSVdMistZatAvM9QFBPUdt36dyNkFOGpAtNblfmV3pB1Wyz0LlxhS2n3XFxSJB
ZgHvBYV891UoSm6julSzeE2i/6liIQIDAQABo4IC8zCCAu8wCQYDVR0TBAIwADAL
BgNVHQ8EBAMCA6gwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1Ud
DgQWBBTuSWRJewXVTNYjoX6gw/DdaXcDqTAfBgNVHSMEGDAWgBQR2yNF/VTManFv
hIoD1773AS8mhjAvBgNVHREEKDAmghRpbWFwcy51bml4YXRob21lLm9yZ4IOdW5p
eGF0aG9tZS5vcmcwggFWBgNVHSAEggFNMIIBSTAIBgZngQwBAgIwggE7BgsrBgEE
AYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29t
L3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29tIENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRlIHdhcyBpc3N1
ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAyIFZhbGlkYXRpb24gcmVxdWlyZW1l
bnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNlIG9ubHkgZm9y
IHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ugb2YgdGhlIHJlbHlp
bmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6Ly9j
cmwuc3RhcnRzc2wuY29tL2NydDItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5
BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIv
c2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9j
ZXJ0cy9zdWIuY2xhc3MyLnNlcnZlci5jYS5jcnQwIwYDVR0SBBwwGoYYaHR0cDov
L3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQBHkfLREbnBtJUE
MPDsaHEZSEDe5uagtAvuNMQh03qcu5UG2x5KkjeT6OK7JwrrjEehA+m5t2JcGtPY
dLN8VB9w7WdPg4ezNR/F4sKdeOPNl8+Us5pWMXRPnLN8EqAp4Kg5KzfJli8Jnaxw
Snbs1Itmwxm19lYF2nWPUMMBru4CxHN7U5jbii+wqpi3LhRK/okuMEbG7xogcboP
n2CDTFk6Yc9W0BE7XBwr1t0xE8KFgvlKu87RS3C+d1AkzM92NUDgS0JQgmO6F2T/
nBsediEpNGORzEvSuq/4wVych5tUKFkksy5X4CHXZw86YjZccPcrtpLrWxs5EhUD
s+tkDOSK
-----END CERTIFICATE-----
subject=/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmaster@unixathome.org
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6525 bytes and written 337 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4098 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 4AEF3F9EFC0F204597B2544B866BFB546D63FD6F2C07C35059BF49FF331B8F99
    Session-ID-ctx: 
    Master-Key: 3C9AB1FB6D69A1A96851A4C38A04DEBF468E17175D038081CEFF95530C921A91BEE1224CD0AAECE52DB6931DADC2B21B
    Key-Arg   : None
    Start Time: 1381436890
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

Notice, it’s 4098 bits. Not 4096 bits as I thought it was. That, I believe, is the key to the problem.

And this is the certificate which succeeds:

$ openssl s_client -CAfile /usr/local/share/certs/ca-root-nss.crt -connect dovecot4096.langille.org:993 
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify return:1
depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
verify return:1
depth=0 /description=3YB45Tqb2mK7H7lO/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=dovecot4096.langille.org/emailAddress=postmaster@langille.org
verify return:1
---
Certificate chain
 0 s:/description=3YB45Tqb2mK7H7lO/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=dovecot4096.langille.org/emailAddress=postmaster@langille.org
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHtjCCBp6gAwIBAgIDAarmMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MiBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTMxMDEwMDkzNDAx
WhcNMTUxMDExMTgzMTA4WjCBtDEZMBcGA1UEDRMQM1lCNDVUcWIybUs3SDdsTzEL
MAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEOMAwGA1UEBxMFTWVk
aWExGDAWBgNVBAoTD0RhbmllbCBMYW5naWxsZTEhMB8GA1UEAxMYZG92ZWNvdDQw
OTYubGFuZ2lsbGUub3JnMSYwJAYJKoZIhvcNAQkBFhdwb3N0bWFzdGVyQGxhbmdp
bGxlLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANm34n7LNvzf
J5RzAU/ovmHsGUfYZhDqF2YEEYC+nFjMDkAa/Oq4VkTs4L9kLdDra/GG1tJzP3NL
JGWg3s1/YQEvy2JddllxlQvrlPjF+GphcScPlnTWKJWn6aze4F/9QIxS3kSp58gc
WHgOBO/w7DO2ZW+Md43zTriR4Xi8wjBbqD6Sc/8zSNiAOFJqdCqClCa2gFNIBoYC
TZVOz0WrS28eTXr5FqiDBflEVpuPbnM5xolKBswvqw7mVFVBDn2tXAaGEgOsGoz5
Lypa2kT/FvnsW9NkTO7pnPoQSMRztfbrXXiNpEHFIAMwxpL3Usp1rJyPPZq5vXjw
wAhLm1l4q73d7IlR/dsuZH9tV+qqKSKdyxYghMafZd5tqcw4md6cGwhDgCmv9KuE
vC+P0Vo9m9Se/gjwD6x+llAENxAlusCLH4IBGz6Q2/R53Gpg8V08P/MS3JgRB6bF
j4mCwQ9wGsp46KttVPBTBGQmvb4LIG2JHSCyPs038hA0dNVZvt1xvod/grKq9BGR
SgMQGxEqvdSYLLFejLRDFz17HVNvCHULKgpsGZQYoHx1bqSZuzAQ61qyyHHVghba
tD8E6WQsJUfDvOLi34TsKx0eSxBhmPxv3vlJGeL8EL4pbBK1XGBRPiOpvs5Y4KcZ
oG59i8qRJX66tyZFGrmjht33dy0uxyqJAgMBAAGjggL1MIIC8TAJBgNVHRMEAjAA
MAsGA1UdDwQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYD
VR0OBBYEFMkuJX8uTgsZfF/bGFDPX7T4dfqcMB8GA1UdIwQYMBaAFBHbI0X9VMxq
cW+EigPXvvcBLyaGMDEGA1UdEQQqMCiCGGRvdmVjb3Q0MDk2LmxhbmdpbGxlLm9y
Z4IMbGFuZ2lsbGUub3JnMIIBVgYDVR0gBIIBTTCCAUkwCAYGZ4EMAQICMIIBOwYL
KwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3Ns
LmNvbS9wb2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMg
aXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxpZGF0aW9uIHJlcXVp
cmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBvbmx5
IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSBy
ZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA1BgNVHR8ELjAsMCqgKKAmhiRodHRw
Oi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnQyLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGB
MH8wOQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xh
c3MyL3NlcnZlci9jYTBCBggrBgEFBQcwAoY2aHR0cDovL2FpYS5zdGFydHNzbC5j
b20vY2VydHMvc3ViLmNsYXNzMi5zZXJ2ZXIuY2EuY3J0MCMGA1UdEgQcMBqGGGh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0BAQUFAAOCAQEADQdsSwge
HTtOPfAOnPc3lRerWFykqU1h+kh5o6RJ9K2nq7VhhZha7ddpiqmFpNhzAjMlz3Xb
KokBhCw6eq8iyEADV7974bJa1pgy5O753td9Nu3ftqhqGID6/EtGe7WtrcLkAX59
YemLo8GUgTEV8tEIp35KM4qFnhjP9I1IJd2eXc1cJ99kBBM265Qfin0U0VzjsWZo
V9jUSeIOq2N8L4fW5ZsJvxXii/O2vLJmDJX0aAzjKjF8A546y4MTcQaUddIDCerQ
qF5b3BnSJx0ZSO/BLKPPq/a+/RrD7eb8TFF1fygOMUyiFEGic5RJ+PWg+nV+8Ohb
QXQsAh9vU4QTAw==
-----END CERTIFICATE-----
subject=/description=3YB45Tqb2mK7H7lO/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=dovecot4096.langille.org/emailAddress=postmaster@langille.org
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6528 bytes and written 337 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: A0397DB209074D4C0F44361077F920525DC719F4F426FF6209F4CBF738EBA092
    Session-ID-ctx: 
    Master-Key: 422AC3AD9F6BAD8F22F461E7761C27D1C14EBB5950F043311CC7CAF4A0283EA9F013C8E839810945FBDD6AF08C5E18C1
    Key-Arg   : None
    Start Time: 1381436961
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive