<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><p style="margin: 0px; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">Hi Marcus!</span></p><p style="margin: 0px; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">Problem looks like java app cannot validate new cert. </span><span style="font-size: 12pt;">Check ssl_store for your java based mail gate. Are there CA and Intermediate SSL Certificates for your new 256ssl cert in mail gate ssl store?</span></p></div><div><div><br></div></div><blockquote type="cite"><div><span>Hi,</span><br><span></span><br><span>today I changed my SSL certificates to "sha256WithRSAEncryption",</span><br><span>because Thunderbird started complaining about me old SHA1</span><br><span>certificates. ;) One pop3s client (it's a kind of java based mailgate)</span><br><span>causes a lot of these errors, not at each connect, but on about two of</span><br><span>140 mailbox connects within 5 minutes:</span><br><span></span><br><span></span><br><span>mail log:</span><br><span>----------</span><br><span>May 20 23:14:02 mailserv cyrus/pop3s[17825]: accepted connection</span><br><span>May 20 23:14:02 mailserv cyrus/pop3s[17825]: SSL_accept() incomplete -></span><br><span>wait</span><br><span>May 20 23:14:02 mailserv cyrus/pop3s[17825]: sslv3 alert certificate</span><br><span>unknown in SSL_accept() -> fail</span><br><span>May 20 23:14:02 mailserv cyrus/pop3s[17825]: pop3s failed:</span><br><span><a href="http://ppp-xx-xx-xx-xx.domain.de">ppp-xx-xx-xx-xx.domain.de</a> [xx.xx.xx.xx]</span><br><span>May 20 23:14:02 mailserv cyrus/pop3s[17825]: Fatal error:</span><br><span>tls_start_servertls() failed</span><br><span>May 20 23:14:02 mailserv cyrus/pop3s[17825]: counts: retr=<0> top=<0></span><br><span>dele=<0></span><br><span>----------</span><br><span></span><br><span>error log:</span><br><span>----------</span><br><span>May 20 23:12:07 mailserv cyrus/pop3s[17838]: Fatal error:</span><br><span>tls_start_servertls() failed</span><br><span>----------</span><br><span></span><br><span>If I check pop3s with my Thunderbird or other clients everything is</span><br><span>fine. SSL checker e.g. on <a href="https://decoder.link/sslchecker">https://decoder.link/sslchecker</a> doesn't show</span><br><span>any errors and it's only this one pop3 client, which causes this error.</span><br><span></span><br><span>I didn't changed anything in imap.conf, but replacing cert files and</span><br><span>reload imapd</span><br><span></span><br><span>tls_cert_file</span><br><span>tls_key_file</span><br><span>tls_ca_file</span><br><span></span><br><span>tls_cipher_list is unchanged:</span><br><span>tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH</span><br><span></span><br><span>Is the client sending a client certificate, which my server doesn't</span><br><span>like? But I don't ask for any client certificates.</span><br><span></span><br><span>System: cyrus 2.4.12</span><br><span></span><br><span>Ciao</span><br><span>Marcus</span><br><span></span><br><span></span><br><span>----</span><br><span>Cyrus Home Page: <a href="http://www.cyrusimap.org/">http://www.cyrusimap.org/</a></span><br><span>List Archives/Info: <a href="http://lists.andrew.cmu.edu/pipermail/info-cyrus/">http://lists.andrew.cmu.edu/pipermail/info-cyrus/</a></span><br><span>To Unsubscribe:</span><br><span><a href="https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus">https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus</a></span><br></div></blockquote></body></html>