e-mail client certificate error although certs are installed

asked 2018-09-28 13:54:55 +0300

schmittlauch gravatar image

Since a while, an e-mail account which worked flawlessly no only works with disabling certificate checks. The server in question is msx.tu-dresden.de:143 with STARTTLS.

The weird thing is that there seems to be a valid trust chain for this server: I found the "T-Systems Class 2" certificate in the Jolla Settings Cert GUI, and openssl on commandline reports a working connection as well (see end of message).

Why does the e-mail client throw certificate validity errors although chain-certs are in the trust store and openssl also doesn't report any problems?

openssl output:

``` echo '' |openssl s_client -showcerts -starttls imap -connect msx.tu-dresden.de:143 | openssl x509 -fingerprint -text depth=3 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2 verify return:1 depth=2 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2 verify return:1 depth=1 C = DE, ST = Sachsen, L = Dresden, O = Technische Universitaet Dresden, CN = TU Dresden CA verify return:1 depth=0 C = DE, ST = Sachsen, L = Dresden, O = Technische Universitaet Dresden, OU = ZIH, CN = msx.tu-dresden.de verify return:1 . OK CAPABILITY completed. DONE SHA1 Fingerprint=B0:85:A7:83:0F:7F:59:26:FD:8D:0D:4E:E5:15:19:C5:BF:4D:9C:4A Certificate: Data: Version: 3 (0x2) Serial Number: 1f:9d:f1:2f:29:e7:4d:6b:2e:1c:cd:18 Signature Algorithm: sha256WithRSAEncryption Issuer: C=DE, ST=Sachsen, L=Dresden, O=Technische Universitaet Dresden, CN=TU Dresden CA Validity Not Before: Aug 23 08:43:14 2018 GMT Not After : Nov 24 08:43:14 2020 GMT Subject: C=DE, ST=Sachsen, L=Dresden, O=Technische Universitaet Dresden, OU=ZIH, CN=msx.tu-dresden.de Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a0:a3:2d:d9:d6:ed:44:5c:39:29:fb:38:9f:f1: f2:b6:7d:64:bb:6a:79:b7:4a:8e:13:f4:a7:5a:91: d2:aa:12:a6:57:14:0d:50:14:9f:0f:13:b2:c0:a8: f8:35:c0:aa:71:2b:1f:0a:c1:90:4e:e0:24:81:9f: b5:24:2c:75:46:63:63:c8:f6:e3:03:38:60:7f:6c: 7c:92:38:e9:28:75:79:7d:37:0a:c7:2b:7c:87:de: ca:86:ef:15:e7:4d:aa:51:29:00:1e:da:8f:bf:72: ba:e3:4a:40:ca:e2:6a:46:ec:a6:e6:f4:78:80:4f: 93:48:f9:02:72:da:c9:ef:24:e8:10:a8:78:ee:df: 71:3c:0f:29:dd:4c:70:af:db:d5:6d:ed:10:a5:d2: 4b:fb:87:03:91:61:af:f8:a6:c6:a8:d6:30:14:d2: 8a:a5:dc:b8:35:36:83:5c:88:02:d3:34:b7:35:f4: f9:9f:4d:18:21:ba:84:ce:c3:c1:52:50:54:95:82: 03:ad:78:b0:82:a9:40:97:ed:7a:b3:61:a7:8a:f7: 27:73:9f:64:5a:64:af:e3:c2:6b:70:5d:8d:55:87: f0:24:18:1f:74:69:d8:41:13:68:3c:7c:49:98:cd: 4e:9b:ae:db:6d:33:59:0a:07:a6:68:de:d7:1c:03: 27:4d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, E-mail Protection X509v3 Subject Key Identifier: 2E:11:97:68:91:A7:F4:EC:3C:A8:16:34:44:93:CA:35:03:0C:D2:4A X509v3 Authority Key Identifier: keyid:52:FE:BE:B7:24:C2:1B:0A:1D:46:52:8E:44:24:2A:F4:48:40:3D:01

        X509v3 Subject Alternative Name: 
            DNS:autodiscover.mailbox.hfmdd.de, DNS:autodiscover.mailbox.tu-dresden.de, DNS:autodiscover.msx.tu-dresden.de, DNS:autodiscover.scads.de, DNS:autodiscover.tu-dresden.de, DNS:mailbox.hfmdd.de, DNS:mailbox.tu-dresden.de, DNS:msx.tu-dresden.de, DNS:tu-dresden.de
        X509v3 CRL Distribution Points: 

            Full Name:
              URI:http://cdp1.pca.dfn.de/tu-dresden-g2-ca/pub/crl/cacrl.crl

            Full Name:
              URI:http://cdp2.pca.dfn.de/tu-dresden-g2-ca/pub/crl/cacrl.crl

        Authority Information Access: 
            OCSP - URI:http://ocsp.pca.dfn.de/OCSP-Server/OCSP
            CA Issuers - URI:http://cdp1.pca.dfn.de/tu-dresden-g2-ca/pub/cacert/cacert.crt
            CA Issuers - URI:http://cdp2.pca.dfn.de/tu-dresden-g2-ca/pub/cacert/cacert.crt

        X509v3 Certificate Policies: 
            Policy: 2.23.140.1.2.2
            Policy: 1.3.6.1.4.1.22177.300.30
            Policy: 1.3.6.1.4.1.22177.300.1.1.4
            Policy: 1.3.6.1.4.1.22177.300.1.1.4.3.8
            Policy: 1.3.6.1.4.1.22177.300.2.1.4.3.8

        CT Precertificate SCTs: 
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77:
                            15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13
                Timestamp : Aug 23 08:43:33.658 2018 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:46:02:21:00:C3:33:DE:70:6E:3C:9D:FC:E6:01:A4:
                            13:AB:ED:07:43:A2:37:1D:55:C4:E8:B1:D9:F3:F0:CA:
                            91:1E:E9:9C:9E:02:21:00:AC:2C:FC:7B:4A:7E:92:B5:
                            2B:36:ED:45:1F:03:37:05:9F:C5:52:BB:E3:71:1B:11:
                            E3:C0:25:A9:43:EC:09:E3
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : AA:E7:0B:7F:3C:B8:D5:66:C8:6C:2F:16:97:9C:9F:44:
                            5F:69:AB:0E:B4:53:55:89:B2:F7:7A:03:01:04:F3:CD
                Timestamp : Aug 23 08:43:33.545 2018 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:20:53:DB:A0:C5:57:EA:BE:E8:DD:20:B3:19:
                            E2:AA:EC:CE:8D:95:20:84:EC:80:FD:1C:B6:AC:74:02:
                            19:D8:F3:1E:02:21:00:EF:D5:F3:E1:A3:59:F9:04:4E:
                            AA:AB:FC:9F:6C:BF:0E:2B:41:F2:94:9A:A7:A2:0A:11:
                            F3:60:B5:C1:80:AD:BB
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : EE:4B:BD:B7:75:CE:60:BA:E1:42:69:1F:AB:E1:9E:66:
                            A3:0F:7E:5F:B0:72:D8:83:00:C4:7B:89:7A:A8:FD:CB
                Timestamp : Aug 23 08:43:33.630 2018 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:20:12:8F:3B:B4:34:41:9B:9D:53:D5:FA:F3:
                            5A:39:3B:32:3A:1F:EA:DD:95:14:CF:4F:17:B8:5F:71:
                            E2:2F:20:96:02:21:00:CE:D1:2A:CC:76:93:2D:11:03:
                            25:F9:0E:21:B5:C0:EF:11:73:AA:33:D5:33:7E:42:A4:
                            93:6C:76:29:3B:B0:6B
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : 55:81:D4:C2:16:90:36:01:4A:EA:0B:9B:57:3C:53:F0:
                            C0:E4:38:78:70:25:08:17:2F:A3:AA:1D:07:13:D3:0C
                Timestamp : Aug 23 08:43:33.912 2018 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:44:02:20:47:BB:81:57:1C:1C:DA:76:8C:6C:6F:7B:
                            72:B7:97:40:70:17:8E:BB:AC:51:45:0E:5A:BA:3F:4D:
                            FF:9A:28:56:02:20:76:84:D4:6A:BD:77:5D:DC:6C:C0:
                            12:D1:83:B8:A7:E0:AF:C4:16:6E:60:5A:CD:95:67:E1:
                            F2:F0:BD:BD:92:04
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : BB:D9:DF:BC:1F:8A:71:B5:93:94:23:97:AA:92:7B:47:
                            38:57:95:0A:AB:52:E8:1A:90:96:64:36:8E:1E:D1:85
                Timestamp : Aug 23 08:43:34.176 2018 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:21:00:90:C1:A4:5F:97:1C:95:96:D3:3C:0F:
                            DC:96:B2:11:31:C6:69:1F:61:EE:81:F2:05:79:D6:22:
                            CD:97:FE:30:FD:02:20:48:8A:A9:01:73:CF:65:BE:83:
                            11:C5:17:9F:2C:DC:3A:9B:97:14:73:13:B4:1C:BF:EE:
                            13:01:96:73:8D:2E:40
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
                            3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
                Timestamp : Aug 23 08:43:34.205 2018 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:20:05:80:DB:34:6D:F5:B6:1A:F5:B0:CE:CA:
                            55:54:67:2D:0B:22:DD:31:BA:23:58:50:BE:AD:79:6D:
                            A5:37:93:D0:02:21:00:AF:35:72:FA:64:2E:27:43:72:
                            7D:04:6C:2D:62:00:45:93:66:FE:0F:12:B4:06:35:CB:
                            64:83:BB:9D:00:2F:75
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : 5E:A7:73:F9:DF:56:C0:E7:B5:36:48:7D:D0:49:E0:32:
                            7A:91:9A:0C:84:A1:12:12:84:18:75:96:81:71:45:58
                Timestamp : Aug 23 08:43:34.794 2018 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:21:00:C2:40:24:F0:B9:18:97:39:14:A2:30:
                            C9:DB:82:92:B1:09:48:BE:8A:24:C6:5B:6E:40:AB:6E:
                            83:29:78:67:F7:02:20:75:77:8F:EC:F4:A7:EF:40:43:
                            16:DE:6E:41:58:F2:43:5E:6D:FB:F0:ED:C0:8C:D2:9E:
                            5F:25:1E:E0:1B:5D:36
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : B2:1E:05:CC:8B:A2:CD:8A:20:4E:87:66:F9:2B:B9:8A:
                            25:20:67:6B:DA:FA:70:E7:B2:49:53:2D:EF:8B:90:5E
                Timestamp : Aug 23 08:43:34.022 2018 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:21:00:B5:60:05:84:B4:32:C6:74:CF:44:AB:
                            B2:F5:B5:8B:69:EE:40:F3:55:48:C8:8F:8D:1D:E2:06:
                            92:20:F1:B6:0A:02:20:07:CB:2F:21:57:66:81:74:09:
                            BA:4E:6F:04:A9:DC:DA:6F:07:18:5F:D3:1E:45:63:62:
                            5F:30:60:A0:DD:DA:2A
Signature Algorithm: sha256WithRSAEncryption
     a0:64:2a:a3:14:f0:6b:43:ee:6d:29:1b:99:a8:1d:26:e9:0e:
     05:7d:d3:e4:61:e8:60:b6:31:ec:05:e1:32:50:4f:df:2e:de:
     74:ee:49:a1:6b:7f:a4:19:5e:2b:2d:0b:90:10:a3:a2:bf:e5:
     ec:2b:36:c9:fd:f8:63:32:89:56:60:9e:22:b9:e0:36:43:6f:
     7d:15:e1:ef:a0:82:08:67:92:98:22:be:22:8c:1a:98:86:67:
     10:3a:af:e3:44:b6:70:32:58:40:3e:7e:d1:a6:c5:88:d1:54:
     8c:38:ae:2c:ab:b9:ec:56:6c:5f:0c:09:c0:36:1f:e2:e4:df:
     ad:e7:95:47:4b:5c:bd:ea:ae:3c:f9:82:4f:74:25:5c:d4:8f:
     1b:cb:a7:7e:df:55:58:c6:84:49:f3:8f:51:c6:b2:79:46:22:
     94:ac:d9:40:2f:11:47:4a:f8:41:6c:01:a0:57:10:77:e5:d0:
     82:08:7b:9f:f6:1a:a6:d9:d8:56:34:6e:33:72:e0:d2:67:1d:
     65:66:91:51:2d:2a:7e:c0:3e:41:bd:25:6d:af:2e:b7:03:7a:
     d3:b1:70:42:53:de:30:3f:ab:cc:b2:b1:0e:ef:b9:b5:e9:e7:
     d9:fb:bf:2f:15:73:85:8f:94:1b:8e:70:b9:b4:04:9a:27:65:
     d8:95:df:55

-----BEGIN CERTIFICATE----- MIIKmzCCCYOgAwIBAgIMH53xLynnTWsuHM0YMA0GCSqGSIb3DQEBCwUAMHMxCzAJ BgNVBAYTAkRFMRAwDgYDVQQIDAdTYWNoc2VuMRAwDgYDVQQHDAdEcmVzZGVuMSgw JgYDVQQKDB9UZWNobmlzY2hlIFVuaXZlcnNpdGFldCBEcmVzZGVuMRYwFAYDVQQD DA1UVSBEcmVzZGVuIENBMB4XDTE4MDgyMzA4NDMxNFoXDTIwMTEyNDA4NDMxNFow gYUxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdTYWNoc2VuMRAwDgYDVQQHDAdEcmVz ZGVuMSgwJgYDVQQKDB9UZWNobmlzY2hlIFVuaXZlcnNpdGFldCBEcmVzZGVuMQww CgYDVQQLDANaSUgxGjAYBgNVBAMMEW1zeC50dS1kcmVzZGVuLmRlMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoKMt2dbtRFw5Kfs4n/Hytn1ku2p5t0qO E/SnWpHSqhKmVxQNUBSfDxOywKj4NcCqcSsfCsGQTuAkgZ+1JCx1RmNjyPbjAzhg f2x8kjjpKHV5fTcKxyt8h97Khu8V502qUSkAHtqPv3K640pAyuJqRuym5vR4gE+T SPkCctrJ7yToEKh47t9xPA8p3Uxwr9vVbe0QpdJL+4cDkWGv+KbGqNYwFNKKpdy4 NTaDXIgC0zS3NfT5n00YIbqEzsPBUlBUlYIDrXiwgqlAl+16s2Gnivcnc59kWmSv 48JrcF2NVYfwJBgfdGnYQRNoPHxJmM1Om67bbTNZCgemaN7XHAMnTQIDAQABo4IH GjCCBxYwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwJwYDVR0lBCAwHgYIKwYB BQUHAwIGCCsGAQUFBwMBBggrBgEFBQcDBDAdBgNVHQ4EFgQULhGXaJGn9Ow8qBY0 RJPKNQMM0kowHwYDVR0jBBgwFoAUUv6+tyTCGwodRlKORCQq9EhAPQEwgewGA1Ud EQSB5DCB4YIdYXV0b2Rpc2NvdmVyLm1haWxib3guaGZtZGQuZGWCImF1dG9kaXNj b3Zlci5tYWlsYm94LnR1LWRyZXNkZW4uZGWCHmF1dG9kaXNjb3Zlci5tc3gudHUt ZHJlc2Rlbi5kZYIVYXV0b2Rpc2NvdmVyLnNjYWRzLmRlghphdXRvZGlzY292ZXIu dHUtZHJlc2Rlbi5kZYIQbWFpbGJveC5oZm1kZC5kZYIVbWFpbGJveC50dS1kcmVz ZGVuLmRlghFtc3gudHUtZHJlc2Rlbi5kZYINdHUtZHJlc2Rlbi5kZTCBjQYDVR0f BIGFMIGCMD+gPaA7hjlodHRwOi8vY2RwMS5wY2EuZGZuLmRlL3R1LWRyZXNkZW4t ZzItY2EvcHViL2NybC9jYWNybC5jcmwwP6A9oDuGOWh0dHA6Ly9jZHAyLnBjYS5k Zm4uZGUvdHUtZHJlc2Rlbi1nMi1jYS9wdWIvY3JsL2NhY3JsLmNybDCB2wYIKwYB BQUHAQEEgc4wgcswMwYIKwYBBQUHMAGGJ2h0dHA6Ly9vY3NwLnBjYS5kZm4uZGUv T0NTUC1TZXJ2ZXIvT0NTUDBJBggrBgEFBQcwAoY9aHR0cDovL2NkcDEucGNhLmRm bi5kZS90dS1kcmVzZGVuLWcyLWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDBJBggr BgEFBQcwAoY9aHR0cDovL2NkcDIucGNhLmRmbi5kZS90dS1kcmVzZGVuLWcyLWNh L3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDBZBgNVHSAEUjBQMAgGBmeBDAECAjANBgsr BgEEAYGtIYIsHjAPBg0rBgEEAYGtIYIsAQEEMBEGDysGAQQBga0hgiwBAQQDCDAR Bg8rBgEEAYGtIYIsAgEEAwgwggPWBgorBgEEAdZ5AgQCBIIDxgSCA8IDwAB3AG9T dqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABZWXz/ZoAAAQDAEgwRgIh AMMz3nBuPJ385gGkE6vtB0OiNx1VxOix2fPwypEe6ZyeAiEArCz8e0p+krUrNu1F HwM3BZ/FUrvjcRsR48AlqUPsCeMAdgCq5wt/PLjVZshsLxaXnJ9EX2mrDrRTVYmy 93oDAQTzzQAAAWVl8/0pAAAEAwBHMEUCIFPboMVX6r7o3SCzGeKq7M6NlSCE7ID9 HLasdAIZ2PMeAiEA79Xz4aNZ+QROqqv8n2y/DitB8pSap6IKEfNgtcGArbsAdgDu S723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAWVl8/1+AAAEAwBHMEUC IBKPO7Q0QZudU9X681o5OzI6H+rdlRTPTxe4X3HiLyCWAiEAztEqzHaTLREDJfkO IbXA7xFzqjPVM35CpJNsdik7sGsAdQBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcv o6odBxPTDAAAAWVl8/6YAAAEAwBGMEQCIEe7gVccHNp2jGxve3K3l0BwF467rFFF Dlq6P03/mihWAiB2hNRqvXdd3GzAEtGDuKfgr8QWbmBazZVn4fLwvb2SBAB2ALvZ 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABZWXz/6AAAAQDAEcwRQIh AJDBpF+XHJWW0zwP3JayETHGaR9h7oHyBXnWIs2X/jD9AiBIiqkBc89lvoMRxRef LNw6m5cUcxO0HL/uEwGWc40uQAB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3 zQ7IDdwQAAABZWXz/70AAAQDAEcwRQIgBYDbNG31thr1sM7KVVRnLQsi3TG6I1hQ vq15baU3k9ACIQCvNXL6ZC4nQ3J9BGwtYgBFk2b+DxK0BjXLZIO7nQAvdQB2AF6n c/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABZWX0AgoAAAQDAEcwRQIh AMJAJPC5GJc5FKIwyduCkrEJSL6KJMZbbkCrboMpeGf3AiB1d4/s9KfvQEMW3m5B WPJDXm378O3AjNKeXyUe4BtdNgB2ALIeBcyLos2KIE6HZvkruYolIGdr2vpw57JJ Uy3vi5BeAAABZWXz/wYAAAQDAEcwRQIhALVgBYS0MsZ0z0SrsvW1i2nuQPNVSMiP jR3iBpIg8bYKAiAHyy8hV2aBdAm6Tm8EqdzabwcYX9MeRWNiXzBgoN3aKjANBgkq hkiG9w0BAQsFAAOCAQEAoGQqoxTwa0PubSkbmagdJukOBX3T5GHoYLYx7AXhMlBP 3y7edO5JoWt/pBleKy0LkBCjor/l7Cs2yf34YzKJVmCeIrngNkNvfRXh76CCCGeS mCK+IowamIZnEDqv40S2cDJYQD5+0abFiNFUjDiuLKu57FZsXwwJwDYf4uTfreeV R0tcvequPPmCT3QlXNSPG8unft9VWMaESfOPUcayeUYilKzZQC8RR0r4QWwBoFcQ d+XQggh7n/YaptnYVjRuM3Lg0mcdZWaRUS0qfsA+Qb0lba8utwN607FwQlPeMD+r zLKxDu+5tenn2fu/LxVzhY+UG45wubQEmidl2JXfVQ== -----END CERTIFICATE----- ```

edit retag flag offensive close delete