STARTTLS negotiation failed

Steve Huston huston at astro.Princeton.EDU
Fri Jan 10 21:09:55 EST 2003 

On Fri, 10 Jan 2003, Jonathan Marsden wrote:
> On 10 Jan 2003, Steve Huston writes:
> > Now, our current Cyrus server has a self-signed cert which Pine
> > doesn't like unless you add /novalidate-cert to the hostname of the
> > server.  But this time, that doesn't even help as it just says
> > "There was an SSL/TLS failure for the server" "The reason for the
> > failure was: SSL Negotiation failed" Cyrus also reports the same
> > thing in the logs.  I understand the point of '/novalidate-cert',
> > meaning don't try to check the signing authority on the cert, and I
> > could overlook things if that was the only error.
>   openssl s_client -connect server.your.domain:993
> to see openssl negotiate with your server.  The info you see (any
> warnings, etc.) may give you clues about what specifically Pine is
> complaining about.

That works fine; the problem seems to be when connecting to 143 and
negotiating up to TLS from there (which Pine now does by default, and puts a
nice "(INSECURE)" on the screen if you set /notls).

> Alternatively, use
>   openssl x509 -text <path/to/my/sslcert.pem
> for both the server that Pine is happy with, and the one it is unhappy
> with, and compare the output by hand... what attributes are different
> or missing in your new self-signed cert?
> Longer term, you might want to create your own CA and sign the server
> hot cert with that CA.  Then provide your public CA cert to Pine and,
> theoretically, you won't need "/novalidate-cert"

I did this with the cert currently in use, just never installed the CA on
clients.  It wasn't used by more than three people, and they knew what to do,
so I wasn't worried about it.  Now more are getting into not having to use SSH
into the building, and the fact that someone couldn't use Squirrelmail from
some set-top box in a hotel due to the cert means the new server gets a real
signed one.  Whoopee.

> If you have it around, connecting with mutt rather than Pine might
> also be a useful test?

Very useful!  Same results, connecting to port 993 and starting with SSL
enabled works fine, but connecting to 143 and issuing STARTTLS fails just the
same.  Now I know better where to look.  And come to think of it, I think
Mozilla, Netscape and OS X's Mail all were using SSL on 993, not TLS on 143.
That explains why they worked fine.

I tried signing the cert with my own CA, and installing the CA's cert, and all
that did was remove the complaint about not being able to verify the cert.
Still get the "SSL negotiation failed" message.

-- 
Steve Huston - Unix Systems Administrator, Dept. of Astrophysical Sciences
 Princeton University  |     ICBM Address: 40.346525   -74.651285
   126 Peyton Hall     |"On my ship, the Rocinante, wheeling through
 Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
   (609) 258-7375      | headlong into mystery."  -Rush, 'Cygnus X-1'

More information about the Info-cyrus mailing list