2.3.11 STARTTLS broken if tls_ca_file is defined

jc.duss59 at laposte.net jc.duss59 at laposte.net
Wed Jan 16 12:03:50 EST 2008


Thanks for your advise.
I had already tried it.


It works on SSL (port 993).
It doesn't works on port 143 with TLS.
Doing some change on ssl in about:config of thunderbird gave me differents logs :
Jan 16 17:53:27 imaptest imap[35698]: accepted connection
Jan 16 17:53:27 imaptest imap[35698]: imapd:Loading hard-coded DH parameters
Jan 16 17:53:27 imaptest imap[35698]: SSL_accept() incomplete -> wait
Jan 16 17:53:59 imaptest imap[35698]: EOF in SSL_accept() -> fail
Jan 16 17:53:59 imaptest imap[35698]: STARTTLS negotiation failed: [10.1.45.1]


Maybe it can help you?!




> Message du 15/01/08 19:15
> De : "Patrick Boutilier"
> A : "Cyrus IMAP"
> Copie à :
> Objet : Re: 2.3.11 STARTTLS broken if tls_ca_file is defined
>
> Sebastian Hagedorn wrote:
> > Hi,
> >
> > please don't write to me personally but keep this on the list instead.
> >
> > --On 15. Januar 2008 10:32:16 +0100 jc.duss59 at laposte.net wrote:
> >
> >> Here is my log, when i try to open a connection in TLS.
> >>
> >> Jan 15 10:29:54 imaptest master[1024]: about to exec
> >> /usr/local/cyrus/bin/imapd Jan 15 10:29:54 imaptest imap[1024]: executed
> >> Jan 15 10:29:54 imaptest imap[1024]: accepted connection
> >> Jan 15 10:29:54 imaptest imap[1024]: imapd:Loading hard-coded DH
> >> parameters Jan 15 10:29:54 imaptest imap[1024]: wrong version number in
> >> SSL_accept() -> fail Jan 15 10:29:54 imaptest imap[1024]: STARTTLS
> >> negotiation failed: [10.1.45.1] Jan 15 10:29:55 imaptest imap[1024]:
> >> accepted connection
> >> Jan 15 10:29:55 imaptest imap[1024]: wrong version number in SSL_accept()
> >> -> fail Jan 15 10:29:55 imaptest imap[1024]: STARTTLS negotiation failed:
> >> [10.1.45.1]
> >>
> >> Thanks a lot for further information.
> >
> > OK, I guess that's helpful. The reason for the failure is this line:
> >
> > wrong version number in SSL_accept() -> fail
> >
> > Now the question is why that happens. This is the code that logs the line:
> >
> >        case SSL_ERROR_SSL:
> >            err = ERR_get_error();
> >            if (err == 0) {
> >                syslog(LOG_DEBUG, "protocol error in SSL_accept() -> fail");
> >            } else {
> >                syslog(LOG_DEBUG, "%s in SSL_accept() -> fail",
> >                       ERR_reason_error_string(err));
> >            }
> >            break;
> >
> > So the server notes an SSL error, logs it and drops the connection. The
> > cause for the error seems to be something like this:
> >
> > "Versions in client/server SSL records do not agree.
> > Probably your client sends SSL2 client_hello handshake
> > message and server is configured only for SSL3/TLS1.
> > In this situation server does not accept SSL2
> > client_hello what is being manifested by "wrong version
> > number" error.
> > To resolve this error you may disable SSL2 on client
> > or enable SSL2 handshake on server.
> > tcpdump output from wrong session handshake
> > may be helpful too."
> >
> > What I don't understand is how it could've worked in earlier versions.
> > Anyway, could this be a client issue? Can you try other clients to see
> > if they handle this differently? Can you disable SSLv2 in your client?
> >
>
> I had the same problem this morning after running 2.3.11 for over nine
> days. In my case restarting Thunderbird fixed my problem for now.
>
>
>
> Jan 15 13:28:42 student imap[9814]: wrong version number in SSL_accept()
> -> fail
>
> Jan 15 13:28:42 student imap[9814]: STARTTLS negotiation failed:
> TradeMart-2.EDnet.NS.CA [142.227.51.61]
>
>
> >
> > ------------------------------------------------------------------------
> >
> > ----
> > Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
> >
> [ boutilpj.vcf (0.3 Ko) ]
> [ (pas de nom de fichier) (0.2 Ko) ]







 Créez votre adresse électronique prénom.nom at laposte.net 
 1 Go d'espace de stockage, anti-spam et anti-virus intégrés.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20080116/874ddef8/attachment.html 


More information about the Info-cyrus mailing list