[SOLVED] Re: STARTTLS negotiation failed

Steve Huston huston at astro.Princeton.EDU
Mon Jan 13 13:40:43 EST 2003 

On Fri, 10 Jan 2003, Jonathan Marsden wrote:
> On 10 Jan 2003, Steve Huston writes:
> > Now, our current Cyrus server has a self-signed cert which Pine
> > doesn't like unless you add /novalidate-cert to the hostname of the
> > server.  But this time, that doesn't even help as it just says
> > "There was an SSL/TLS failure for the server" "The reason for the
> > failure was: SSL Negotiation failed" Cyrus also reports the same
> > thing in the logs.  I understand the point of '/novalidate-cert',
> > meaning don't try to check the signing authority on the cert, and I
> > could overlook things if that was the only error.
> 
> Longer term, you might want to create your own CA and sign the server
> hot cert with that CA.  Then provide your public CA cert to Pine and,
> theoretically, you won't need "/novalidate-cert"

On Fri, 10 Jan 2003, Ken Murchison wrote:
> I just tested Pine 4.44 against my Cyrus 2.1.11 using a self-signed cert
> (/novalidate-cert) and it works fine.  Below is the output from ssldump
> (http://www.rtfm.com/ssldump/) for reference.  I'd use ssldump to see
> where in the negotiation it fails.

Finally got it!  I followed the exact instructions in the manual for creating
a key, and for some reason that worked.  Then I realized one other thing I
changed in the /etc/imapd.conf file when I used that other key, that being
"tls_ca_file:"  It seems that the program doesn't like the CA file that comes
with RedHat 8.0, and if I specify that file it chokes and dies *only* on TLS
connections, SSL works fine.

Now that I know the problem, I can figure out a workaround.  Thanks Jonathan
and Ken for pointing me in the right direction (and thanks to Dr. Pepper for
providing caffeinated support).

-- 
Steve Huston - Unix Systems Administrator, Dept. of Astrophysical Sciences
 Princeton University  |     ICBM Address: 40.346525   -74.651285
   126 Peyton Hall     |"On my ship, the Rocinante, wheeling through
 Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
   (609) 258-7375      | headlong into mystery."  -Rush, 'Cygnus X-1'

More information about the Info-cyrus mailing list