STARTTLS negotiation failed

Fri Jan 10 22:25:48 EST 2003

Steve Huston wrote:
> 
> This is more of a Pine problem than Cyrus, but I'm hoping someone here might
> know what I can do...
> 

[...]

> Now, our current Cyrus server has a self-signed cert which Pine doesn't like
> unless you add /novalidate-cert to the hostname of the server.  But this time,
> that doesn't even help as it just says "There was an SSL/TLS failure for the
> server" "The reason for the failure was: SSL Negotiation failed"  Cyrus also
> reports the same thing in the logs.  I understand the point of
> '/novalidate-cert', meaning don't try to check the signing authority on the

I just tested Pine 4.44 against my Cyrus 2.1.11 using a self-signed cert
(/novalidate-cert) and it works fine.  Below is the output from ssldump
(http://www.rtfm.com/ssldump/) for reference.  I'd use ssldump to see
where in the negotiation it fails.

[root at eagle]# ssldump -d -i lo -k /var/imap/certs/mail.oceana.com.key
port 143

New TCP connection #1: eagle.oceana.com(38414) <-> eagle.oceana.com(143)
0.0315 (0.0315)  S>C
---------------------------------------------------------------
* OK eagle.oceana.com Cyrus IMAP4 v2.1.11 server ready
---------------------------------------------------------------

0.0320 (0.0005)  C>S
---------------------------------------------------------------
00000000 CAPABILITY
---------------------------------------------------------------

0.0324 (0.0004)  S>C
---------------------------------------------------------------
* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LOGINDISABLED
AUTH=SRP AUTH=OTP AUTH=NTLM AUTH=DIGEST-MD5 AUTH=CRAM-MD5 LISTEXT
LIST-SUBSCRIBED ANNOTATEMORE X-NETSCAPE
00000000 OK Completed
---------------------------------------------------------------

0.0327 (0.0002)  C>S
---------------------------------------------------------------
00000001 STARTTLS
---------------------------------------------------------------

0.1106 (0.0779)  S>C
---------------------------------------------------------------
00000001 OK Begin TLS negotiation now
---------------------------------------------------------------

1 1  0.1408 (0.0301)  C>S  Handshake
      ClientHello
        Version 3.1 
        cipher suites
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        TLS_DHE_DSS_WITH_RC2_56_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
        TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
        TLS_RSA_EXPORT1024_WITH_RC4_56_MD5
        TLS_DHE_RSA_WITH_DES_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        compression methods
                  NULL
1 2  0.1424 (0.0016)  S>C  Handshake
      ServerHello
        Version 3.1 
        session_id[32]=
          ce 24 19 9e 16 7a da 4a 2d 2d f7 ef 83 24 ff 55 
          19 3d 31 9b 72 9f b9 57 17 bc 61 4a 38 4c c5 4d 
        cipherSuite         TLS_RSA_WITH_3DES_EDE_CBC_SHA
        compressionMethod                   NULL
1 3  0.1424 (0.0000)  S>C  Handshake
      Certificate
1 4  0.1424 (0.0000)  S>C  Handshake
      CertificateRequest
        certificate_types                   rsa_sign
        certificate_types                   dss_sign
        certificate_authority
          30 81 a9 31 0b 30 09 06 03 55 04 06 13 02 4e 59 
          31 11 30 0f 06 03 55 04 08 13 08 4e 65 77 20 59 
          6f 72 6b 31 15 30 13 06 03 55 04 07 13 0c 4f 72 
          63 68 61 72 64 20 50 61 72 6b 31 0f 30 0d 06 03 
          55 04 0a 13 06 4f 63 65 61 6e 61 31 28 30 26 06 
          03 55 04 0b 13 1f 43 65 72 74 69 66 69 63 61 74 
          69 6f 6e 20 53 65 72 76 69 63 65 73 20 44 69 76 
          69 73 69 6f 6e 31 17 30 15 06 03 55 04 03 13 0e 
          4f 63 65 61 6e 61 20 52 6f 6f 74 20 43 41 31 1c 
          30 1a 06 09 2a 86 48 86 f7 0d 01 09 01 16 0d 63 
          61 40 6f 63 65 61 6e 61 2e 63 6f 6d 
      ServerHelloDone
1 5  0.1467 (0.0042)  C>S  Handshake
      Certificate
1 6  0.1467 (0.0000)  C>S  Handshake
      ClientKeyExchange
1 7  0.1467 (0.0000)  C>S  ChangeCipherSpec
1 8  0.1467 (0.0000)  C>S  Handshake
      Finished
1 9  0.1637 (0.0169)  S>C  ChangeCipherSpec
1 10 0.1637 (0.0000)  S>C  Handshake
      Finished
1 11 0.1643 (0.0006)  C>S  application_data
    ---------------------------------------------------------------
    00000002 CAPABILITY
    ---------------------------------------------------------------
1 12 0.1655 (0.0011)  S>C  application_data
    ---------------------------------------------------------------
    * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=SRP
AUTH=LOGIN AUTH=OTP AUTH=NTLM AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5
LISTEXT LIST-SUBSCRIBED ANNOTATEMORE X-NETSCAPE
    00000002 OK Completed
    ---------------------------------------------------------------
1 13 0.1675 (0.0019)  C>S  application_data
    ---------------------------------------------------------------
    00000003 AUTHENTICATE CRAM-MD5
    ---------------------------------------------------------------
1 14 0.1679 (0.0004)  S>C  application_data
    ---------------------------------------------------------------
    + PDE5NTg3Njk4MTcuMjA2NzQzNkBlYWdsZS5vY2VhbmEuY29tPg==
    ---------------------------------------------------------------
1 15 6.1941 (6.0261)  C>S  application_data
    ---------------------------------------------------------------
    a2VuIGM0NzNmMmYyNzA2YWNiOGYzNmEwZDQyNDk1YTEyN2I2
    ---------------------------------------------------------------
1 16 6.2049 (0.0108)  S>C  application_data
    ---------------------------------------------------------------
    00000003 OK Success (tls protection)
    ---------------------------------------------------------------
1 17 6.2057 (0.0007)  C>S  application_data
    ---------------------------------------------------------------
    00000004 CAPABILITY
    ---------------------------------------------------------------
1 18 6.2064 (0.0006)  S>C  application_data
    ---------------------------------------------------------------
    * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=SRP
AUTH=LOGIN AUTH=OTP AUTH=NTLM AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5
LISTEXT LIST-SUBSCRIBED ANNOTATEMORE X-NETSCAPE
    00000004 OK Completed
    ---------------------------------------------------------------
1 19 6.2069 (0.0005)  C>S  application_data
    ---------------------------------------------------------------
    00000005 SELECT INBOX
    ---------------------------------------------------------------
1 20 6.2868 (0.0798)  S>C  application_data
    ---------------------------------------------------------------
    * FLAGS (\Answered \Flagged \Draft \Deleted \Seen foo bar blah
$Forwarded)
    * OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen foo
bar blah $Forwarded \*)]  
    * 56 EXISTS
    * 0 RECENT
    * OK [UIDVALIDITY 874939688]  
    * OK [UIDNEXT 20763]  
    00000005 OK [READ-WRITE] Completed
    ---------------------------------------------------------------
1 21 6.2882 (0.0014)  C>S  application_data
    ---------------------------------------------------------------
    00000006 SEARCH ALL UNDELETED UNSEEN
    ---------------------------------------------------------------
1 22 6.2893 (0.0010)  S>C  application_data
    ---------------------------------------------------------------
    * SEARCH
    00000006 OK Completed (0 msgs in 0.000 secs)
    ---------------------------------------------------------------
1 23 6.2920 (0.0027)  C>S  application_data
    ---------------------------------------------------------------
    00000007 NOOP
    ---------------------------------------------------------------
1 24 6.2923 (0.0003)  S>C  application_data
    ---------------------------------------------------------------
    00000007 OK Completed
    ---------------------------------------------------------------
1 25 116.4456 (110.1532)  C>S  application_data
    ---------------------------------------------------------------
    00000008 SEARCH ALL DELETED
    ---------------------------------------------------------------
1 26 116.4471 (0.0015)  S>C  application_data
    ---------------------------------------------------------------
    * SEARCH
    00000008 OK Completed (0 msgs in 0.000 secs)
    ---------------------------------------------------------------
1 27 116.4475 (0.0003)  C>S  application_data
    ---------------------------------------------------------------
    00000009 LOGOUT
    ---------------------------------------------------------------
1 28 116.4477 (0.0002)  S>C  application_data
    ---------------------------------------------------------------
    * BYE LOGOUT received
    00000009 OK Completed
    ---------------------------------------------------------------
1 29 116.4480 (0.0003)  C>S  Alert
    level           warning
    value           close_notify
1    116.4491 (0.0010)  S>C  TCP FIN
1    116.4521 (0.0030)  C>S  TCP FIN

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp