STARTTLS negotiation failed
Jonathan Marsden
jonathan at bach.xc.org
Fri Jan 10 19:51:01 EST 2003
On 10 Jan 2003, Steve Huston writes:
> Now, our current Cyrus server has a self-signed cert which Pine
> doesn't like unless you add /novalidate-cert to the hostname of the
> server. But this time, that doesn't even help as it just says
> "There was an SSL/TLS failure for the server" "The reason for the
> failure was: SSL Negotiation failed" Cyrus also reports the same
> thing in the logs. I understand the point of '/novalidate-cert',
> meaning don't try to check the signing authority on the cert, and I
> could overlook things if that was the only error.
Use
openssl s_client -connect server.your.domain:993
to see openssl negotiate with your server. The info you see (any
warnings, etc.) may give you clues about what specifically Pine is
complaining about.
Alternatively, use
openssl x509 -text <path/to/my/sslcert.pem
for both the server that Pine is happy with, and the one it is unhappy
with, and compare the output by hand... what attributes are different
or missing in your new self-signed cert?
Longer term, you might want to create your own CA and sign the server
hot cert with that CA. Then provide your public CA cert to Pine and,
theoretically, you won't need "/novalidate-cert"
If you have it around, connecting with mutt rather than Pine might
also be a useful test?
Jonathan
--
Jonathan Marsden | Internet: jonathan at xc.org | Making electronic
1252 Judson Street | Phone: +1 (909) 795-3877 | communications work
Redlands, CA 92374 | Fax: +1 (909) 795-0327 | reliably for Christian
USA | http://www.xc.org/jonathan | missions worldwide
More information about the Info-cyrus
mailing list