You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Ralf Hauser (JIRA)" <se...@james.apache.org> on 2006/11/16 16:26:39 UTC

[jira] Commented: (JAMES-695) missing intermediary certificates in keystore ignored

    [ http://issues.apache.org/jira/browse/JAMES-695?page=comments#action_12450424 ] 
            
Ralf Hauser commented on JAMES-695:
-----------------------------------

Sorry, false alarm - works now. 
http://wiki.apache.org/james/UsingSSL should maybe extended to mention http://www.agentbob.info/agentbob/79.html

i.e. the intermediary certificates should not be single entries of the keystore, but this should look like

Desktop> $JAVA_HOME/bin/keytool -list -keystore pop.ks  -v
Enter keystore password:  changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: james
Creation date: Nov 16, 2006
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=smtp.privasphere.com, OU=Secure Messaging, O=PrivaSphere AG, L=Zuerich, ST=ZH, C=CH
Issuer: CN=QV Schweiz ICA, OU=Issuing Certificate Authority, O=QuoVadis Trustlink Schweiz AG, C=CH
Serial number: 21e2
Valid from: Wed Oct 25 11:32:22 CEST 2006 until: Sat Oct 25 11:32:22 CEST 2008
Certificate fingerprints:
         MD5:  91:98:DE:8F:FB:00:C7:F9:C3:AF:99:41:83:EB:00:05
         SHA1: 61:6F:58:CD:3D:DF:89:55:67:25:7B:90:AB:8F:56:53:03:45:F4:9E
Certificate[2]:
Owner: CN=QV Schweiz ICA, OU=Issuing Certificate Authority, O=QuoVadis Trustlink Schweiz AG, C=CH
Issuer: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
Serial number: 421fcec0
Valid from: Wed Mar 15 22:06:52 CET 2006 until: Tue Mar 15 22:06:52 CET 2016
Certificate fingerprints:
         MD5:  C5:59:4C:76:54:6C:A5:EA:2C:31:6F:61:D0:7C:12:39
         SHA1: 67:EC:CD:0A:90:2E:86:8D:70:00:87:2E:A1:FD:79:C1:6B:CF:1F:AB
Certificate[3]:
Owner: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
Serial number: 3ab6508b
Valid from: Mon Mar 19 19:33:33 CET 2001 until: Wed Mar 17 19:33:33 CET 2021
Certificate fingerprints:
         MD5:  27:DE:36:FE:72:B7:00:03:00:9D:F4:F0:1E:6C:04:24
         SHA1: DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9


*******************************************
*******************************************


to test: 
[privasphere@poldo sec]$ openssl s_client -connect smtp.privasphere.com:995
CONNECTED(00000003)
depth=2 /C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=CH/ST=ZH/L=Zuerich/O=PrivaSphere AG/OU=Secure Messaging/CN=smtp.privasphere.com
   i:/C=CH/O=QuoVadis Trustlink Schweiz AG/OU=Issuing Certificate Authority/CN=QV Schweiz ICA
 1 s:/C=CH/O=QuoVadis Trustlink Schweiz AG/OU=Issuing Certificate Authority/CN=QV Schweiz ICA
   i:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
 2 s:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
   i:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
---




> missing intermediary certificates in keystore ignored
> -----------------------------------------------------
>
>                 Key: JAMES-695
>                 URL: http://issues.apache.org/jira/browse/JAMES-695
>             Project: James
>          Issue Type: Bug
>          Components: POP3Server
>    Affects Versions: 2.2.0
>         Environment: linux, windows
>            Reporter: Ralf Hauser
>
> We use a certificate on https://www.privasphere.com where the root certificate is part of most standard pre-distributed keystore (CN = QuoVadis Root Certification Authority
> OU = Root Certification Authority
> O = QuoVadis Limited
> C = BM) but the intermediary certificate is not (CN = QV Schweiz ICA
> OU = Issuing Certificate Authority
> O = QuoVadis Trustlink Schweiz AG
> C = CH).
> When just using the leaf certificate to the java keystore with tomcat and james, both firefox and thunderbird complain.
> When adding the full certificate chain to the java keystore. The tomcat - firefox combination now works fine, james - thunderbird doesn't.
> AFAIK, firefox and thunderbird have the identical copies of the trust store and tls stack, while james uses the legacy cornerstone/avalone. Can anyone confirm the problem?
> Feel free to test on smtp.privasphere.com:995 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org