STARTTLS negotiation failed

Steve Huston huston at astro.Princeton.EDU
Sun Jan 12 01:33:42 EST 2003 

On Fri, 10 Jan 2003, Ken Murchison wrote:
> Steve Huston wrote:
> > Now, our current Cyrus server has a self-signed cert which Pine doesn't like
> > unless you add /novalidate-cert to the hostname of the server.  But this time,
> > that doesn't even help as it just says "There was an SSL/TLS failure for the
> > server" "The reason for the failure was: SSL Negotiation failed"  Cyrus also
> > reports the same thing in the logs.  I understand the point of
> > '/novalidate-cert', meaning don't try to check the signing authority on the
> 
> I just tested Pine 4.44 against my Cyrus 2.1.11 using a self-signed cert
> (/novalidate-cert) and it works fine.  Below is the output from ssldump
> (http://www.rtfm.com/ssldump/) for reference.  I'd use ssldump to see
> where in the negotiation it fails.

Ahh, that's just what I needed.  Thanks!

Now, armed with something to decode the packets, I may have found at least
somewhat closer to what the problem is:

> 1 2  0.1424 (0.0016)  S>C  Handshake
>       ServerHello
>         Version 3.1 
>         session_id[32]=
>           ce 24 19 9e 16 7a da 4a 2d 2d f7 ef 83 24 ff 55 
>           19 3d 31 9b 72 9f b9 57 17 bc 61 4a 38 4c c5 4d 
>         cipherSuite         TLS_RSA_WITH_3DES_EDE_CBC_SHA
>         compressionMethod                   NULL
> 1 3  0.1424 (0.0000)  S>C  Handshake
>       Certificate

That's what yours showed... I got up to the same point:

1 2  0.7860 (0.0028)  S>C  Handshake
      ServerHello
        Version 3.1 
        session_id[32]=
          d0 7e 52 7d 5e db fe 0f dc 8d de 61 a5 1c 37 00 
          b2 ec 36 9e 0d 41 cd d0 f8 1d 8c 2b 20 d3 11 ee 
        cipherSuite         TLS_RSA_WITH_3DES_EDE_CBC_SHA
        compressionMethod                   NULL
1 3  0.7860 (0.0000)  S>C  Handshake
      Certificate
ERROR: Length mismatch
[root at diomedes root]# 

Hmm... now I'm completely confused.  Now if I try to connect via port 993, it
works perfectly fine with the same cert and all.  But ... I think I'm more
puzzled now than I was before.  I'm using the same versions of Cyrus and Pine
that you tried it on.

-- 
Steve Huston - Unix Systems Administrator, Dept. of Astrophysical Sciences
 Princeton University  |     ICBM Address: 40.346525   -74.651285
   126 Peyton Hall     |"On my ship, the Rocinante, wheeling through
 Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
   (609) 258-7375      | headlong into mystery."  -Rush, 'Cygnus X-1'

More information about the Info-cyrus mailing list