You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Ralf Hauser (JIRA)" <se...@james.apache.org> on 2006/11/15 13:35:38 UTC
[jira] Created: (JAMES-695) missing intermediary certificates in
keystore ignored
missing intermediary certificates in keystore ignored
-----------------------------------------------------
Key: JAMES-695
URL: http://issues.apache.org/jira/browse/JAMES-695
Project: James
Issue Type: Bug
Components: POP3Server
Affects Versions: 2.2.0
Environment: linux, windows
Reporter: Ralf Hauser
We use a certificate on https://www.privasphere.com where the root certificate is part of most standard pre-distributed keystore (CN = QuoVadis Root Certification Authority
OU = Root Certification Authority
O = QuoVadis Limited
C = BM) but the intermediary certificate is not (CN = QV Schweiz ICA
OU = Issuing Certificate Authority
O = QuoVadis Trustlink Schweiz AG
C = CH).
When just using the leaf certificate to the java keystore with tomcat and james, both firefox and thunderbird complain.
When adding the full certificate chain to the java keystore. The tomcat - firefox combination now works fine, james - thunderbird doesn't.
AFAIK, firefox and thunderbird have the identical copies of the trust store and tls stack, while james uses the legacy cornerstone/avalone. Can anyone confirm the problem?
Feel free to test on smtp.privasphere.com:995
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: [jira] Resolved: (JAMES-695) missing intermediary certificates
in keystore ignored
Posted by Stefano Bagnara <ap...@bago.org>.
Norman Maurer (JIRA) wrote:
> [ http://issues.apache.org/jira/browse/JAMES-695?page=all ]
>
> Norman Maurer resolved JAMES-695.
> ---------------------------------
>
> Resolution: Invalid
> Assignee: Norman Maurer
Can you explain why this is invalid? I've not tested/analyzed it, but
I'm interested in the topic...
Stefano
>> missing intermediary certificates in keystore ignored
>> -----------------------------------------------------
>>
>> Key: JAMES-695
>> URL: http://issues.apache.org/jira/browse/JAMES-695
>> Project: James
>> Issue Type: Bug
>> Components: POP3Server
>> Affects Versions: 2.2.0
>> Environment: linux, windows
>> Reporter: Ralf Hauser
>> Assigned To: Norman Maurer
>>
>> We use a certificate on https://www.privasphere.com where the root certificate is part of most standard pre-distributed keystore (CN = QuoVadis Root Certification Authority
>> OU = Root Certification Authority
>> O = QuoVadis Limited
>> C = BM) but the intermediary certificate is not (CN = QV Schweiz ICA
>> OU = Issuing Certificate Authority
>> O = QuoVadis Trustlink Schweiz AG
>> C = CH).
>> When just using the leaf certificate to the java keystore with tomcat and james, both firefox and thunderbird complain.
>> When adding the full certificate chain to the java keystore. The tomcat - firefox combination now works fine, james - thunderbird doesn't.
>> AFAIK, firefox and thunderbird have the identical copies of the trust store and tls stack, while james uses the legacy cornerstone/avalone. Can anyone confirm the problem?
>> Feel free to test on smtp.privasphere.com:995
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: [jira] Resolved: (JAMES-695) missing intermediary certificates
in keystore ignored
Posted by Stefano Bagnara <ap...@bago.org>.
Arg, I lost few messages from the mailing list, so I didn't notice he
added a comment.
Sorry, and thanks!
Stefano
Norman Maurer wrote:
> Cause he said so ;-) Please read his comment. I add the link to the wiki
> as he suggested..
>
> bye
> Norman
>
> Stefano Bagnara schrieb:
>> Norman Maurer (JIRA) wrote:
>>> [ http://issues.apache.org/jira/browse/JAMES-695?page=all ]
>>>
>>> Norman Maurer resolved JAMES-695.
>>> ---------------------------------
>>>
>>> Resolution: Invalid
>>> Assignee: Norman Maurer
>>
>> Can you explain why this is invalid? I've not tested/analyzed it, but
>> I'm interested in the topic...
>>
>> Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: [jira] Resolved: (JAMES-695) missing intermediary certificates
in keystore ignored
Posted by Norman Maurer <nm...@byteaction.de>.
Cause he said so ;-) Please read his comment. I add the link to the wiki
as he suggested..
bye
Norman
Stefano Bagnara schrieb:
> Norman Maurer (JIRA) wrote:
>> [ http://issues.apache.org/jira/browse/JAMES-695?page=all ]
>>
>> Norman Maurer resolved JAMES-695.
>> ---------------------------------
>>
>> Resolution: Invalid
>> Assignee: Norman Maurer
>
> Can you explain why this is invalid? I've not tested/analyzed it, but
> I'm interested in the topic...
>
> Stefano
>
>>> missing intermediary certificates in keystore ignored
>>> -----------------------------------------------------
>>>
>>> Key: JAMES-695
>>> URL: http://issues.apache.org/jira/browse/JAMES-695
>>> Project: James
>>> Issue Type: Bug
>>> Components: POP3Server
>>> Affects Versions: 2.2.0
>>> Environment: linux, windows
>>> Reporter: Ralf Hauser
>>> Assigned To: Norman Maurer
>>>
>>> We use a certificate on https://www.privasphere.com where the root
>>> certificate is part of most standard pre-distributed keystore (CN =
>>> QuoVadis Root Certification Authority
>>> OU = Root Certification Authority
>>> O = QuoVadis Limited
>>> C = BM) but the intermediary certificate is not (CN = QV Schweiz ICA
>>> OU = Issuing Certificate Authority
>>> O = QuoVadis Trustlink Schweiz AG
>>> C = CH).
>>> When just using the leaf certificate to the java keystore with
>>> tomcat and james, both firefox and thunderbird complain.
>>> When adding the full certificate chain to the java keystore. The
>>> tomcat - firefox combination now works fine, james - thunderbird
>>> doesn't.
>>> AFAIK, firefox and thunderbird have the identical copies of the
>>> trust store and tls stack, while james uses the legacy
>>> cornerstone/avalone. Can anyone confirm the problem?
>>> Feel free to test on smtp.privasphere.com:995
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
>
> !EXCUBATOR:1,455da3cf53071097514530!
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
[jira] Resolved: (JAMES-695) missing intermediary certificates in
keystore ignored
Posted by "Norman Maurer (JIRA)" <se...@james.apache.org>.
[ http://issues.apache.org/jira/browse/JAMES-695?page=all ]
Norman Maurer resolved JAMES-695.
---------------------------------
Resolution: Invalid
Assignee: Norman Maurer
> missing intermediary certificates in keystore ignored
> -----------------------------------------------------
>
> Key: JAMES-695
> URL: http://issues.apache.org/jira/browse/JAMES-695
> Project: James
> Issue Type: Bug
> Components: POP3Server
> Affects Versions: 2.2.0
> Environment: linux, windows
> Reporter: Ralf Hauser
> Assigned To: Norman Maurer
>
> We use a certificate on https://www.privasphere.com where the root certificate is part of most standard pre-distributed keystore (CN = QuoVadis Root Certification Authority
> OU = Root Certification Authority
> O = QuoVadis Limited
> C = BM) but the intermediary certificate is not (CN = QV Schweiz ICA
> OU = Issuing Certificate Authority
> O = QuoVadis Trustlink Schweiz AG
> C = CH).
> When just using the leaf certificate to the java keystore with tomcat and james, both firefox and thunderbird complain.
> When adding the full certificate chain to the java keystore. The tomcat - firefox combination now works fine, james - thunderbird doesn't.
> AFAIK, firefox and thunderbird have the identical copies of the trust store and tls stack, while james uses the legacy cornerstone/avalone. Can anyone confirm the problem?
> Feel free to test on smtp.privasphere.com:995
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
[jira] Commented: (JAMES-695) missing intermediary certificates in
keystore ignored
Posted by "Ralf Hauser (JIRA)" <se...@james.apache.org>.
[ http://issues.apache.org/jira/browse/JAMES-695?page=comments#action_12450424 ]
Ralf Hauser commented on JAMES-695:
-----------------------------------
Sorry, false alarm - works now.
http://wiki.apache.org/james/UsingSSL should maybe extended to mention http://www.agentbob.info/agentbob/79.html
i.e. the intermediary certificates should not be single entries of the keystore, but this should look like
Desktop> $JAVA_HOME/bin/keytool -list -keystore pop.ks -v
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: james
Creation date: Nov 16, 2006
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=smtp.privasphere.com, OU=Secure Messaging, O=PrivaSphere AG, L=Zuerich, ST=ZH, C=CH
Issuer: CN=QV Schweiz ICA, OU=Issuing Certificate Authority, O=QuoVadis Trustlink Schweiz AG, C=CH
Serial number: 21e2
Valid from: Wed Oct 25 11:32:22 CEST 2006 until: Sat Oct 25 11:32:22 CEST 2008
Certificate fingerprints:
MD5: 91:98:DE:8F:FB:00:C7:F9:C3:AF:99:41:83:EB:00:05
SHA1: 61:6F:58:CD:3D:DF:89:55:67:25:7B:90:AB:8F:56:53:03:45:F4:9E
Certificate[2]:
Owner: CN=QV Schweiz ICA, OU=Issuing Certificate Authority, O=QuoVadis Trustlink Schweiz AG, C=CH
Issuer: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
Serial number: 421fcec0
Valid from: Wed Mar 15 22:06:52 CET 2006 until: Tue Mar 15 22:06:52 CET 2016
Certificate fingerprints:
MD5: C5:59:4C:76:54:6C:A5:EA:2C:31:6F:61:D0:7C:12:39
SHA1: 67:EC:CD:0A:90:2E:86:8D:70:00:87:2E:A1:FD:79:C1:6B:CF:1F:AB
Certificate[3]:
Owner: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
Serial number: 3ab6508b
Valid from: Mon Mar 19 19:33:33 CET 2001 until: Wed Mar 17 19:33:33 CET 2021
Certificate fingerprints:
MD5: 27:DE:36:FE:72:B7:00:03:00:9D:F4:F0:1E:6C:04:24
SHA1: DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9
*******************************************
*******************************************
to test:
[privasphere@poldo sec]$ openssl s_client -connect smtp.privasphere.com:995
CONNECTED(00000003)
depth=2 /C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=CH/ST=ZH/L=Zuerich/O=PrivaSphere AG/OU=Secure Messaging/CN=smtp.privasphere.com
i:/C=CH/O=QuoVadis Trustlink Schweiz AG/OU=Issuing Certificate Authority/CN=QV Schweiz ICA
1 s:/C=CH/O=QuoVadis Trustlink Schweiz AG/OU=Issuing Certificate Authority/CN=QV Schweiz ICA
i:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
2 s:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
i:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
---
> missing intermediary certificates in keystore ignored
> -----------------------------------------------------
>
> Key: JAMES-695
> URL: http://issues.apache.org/jira/browse/JAMES-695
> Project: James
> Issue Type: Bug
> Components: POP3Server
> Affects Versions: 2.2.0
> Environment: linux, windows
> Reporter: Ralf Hauser
>
> We use a certificate on https://www.privasphere.com where the root certificate is part of most standard pre-distributed keystore (CN = QuoVadis Root Certification Authority
> OU = Root Certification Authority
> O = QuoVadis Limited
> C = BM) but the intermediary certificate is not (CN = QV Schweiz ICA
> OU = Issuing Certificate Authority
> O = QuoVadis Trustlink Schweiz AG
> C = CH).
> When just using the leaf certificate to the java keystore with tomcat and james, both firefox and thunderbird complain.
> When adding the full certificate chain to the java keystore. The tomcat - firefox combination now works fine, james - thunderbird doesn't.
> AFAIK, firefox and thunderbird have the identical copies of the trust store and tls stack, while james uses the legacy cornerstone/avalone. Can anyone confirm the problem?
> Feel free to test on smtp.privasphere.com:995
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org