[SOLVED] Re: STARTTLS negotiation failed
Steve Huston
huston at astro.Princeton.EDU
Mon Jan 13 13:40:43 EST 2003
On Fri, 10 Jan 2003, Jonathan Marsden wrote:
> On 10 Jan 2003, Steve Huston writes:
> > Now, our current Cyrus server has a self-signed cert which Pine
> > doesn't like unless you add /novalidate-cert to the hostname of the
> > server. But this time, that doesn't even help as it just says
> > "There was an SSL/TLS failure for the server" "The reason for the
> > failure was: SSL Negotiation failed" Cyrus also reports the same
> > thing in the logs. I understand the point of '/novalidate-cert',
> > meaning don't try to check the signing authority on the cert, and I
> > could overlook things if that was the only error.
>
> Longer term, you might want to create your own CA and sign the server
> hot cert with that CA. Then provide your public CA cert to Pine and,
> theoretically, you won't need "/novalidate-cert"
On Fri, 10 Jan 2003, Ken Murchison wrote:
> I just tested Pine 4.44 against my Cyrus 2.1.11 using a self-signed cert
> (/novalidate-cert) and it works fine. Below is the output from ssldump
> (http://www.rtfm.com/ssldump/) for reference. I'd use ssldump to see
> where in the negotiation it fails.
Finally got it! I followed the exact instructions in the manual for creating
a key, and for some reason that worked. Then I realized one other thing I
changed in the /etc/imapd.conf file when I used that other key, that being
"tls_ca_file:" It seems that the program doesn't like the CA file that comes
with RedHat 8.0, and if I specify that file it chokes and dies *only* on TLS
connections, SSL works fine.
Now that I know the problem, I can figure out a workaround. Thanks Jonathan
and Ken for pointing me in the right direction (and thanks to Dr. Pepper for
providing caffeinated support).
--
Steve Huston - Unix Systems Administrator, Dept. of Astrophysical Sciences
Princeton University | ICBM Address: 40.346525 -74.651285
126 Peyton Hall |"On my ship, the Rocinante, wheeling through
Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
(609) 258-7375 | headlong into mystery." -Rush, 'Cygnus X-1'
More information about the Info-cyrus
mailing list