STARTTLS negotiation failed

Jonathan Marsden jonathan at bach.xc.org
Fri Jan 10 19:51:01 EST 2003


On 10 Jan 2003, Steve Huston writes:

> Now, our current Cyrus server has a self-signed cert which Pine
> doesn't like unless you add /novalidate-cert to the hostname of the
> server.  But this time, that doesn't even help as it just says
> "There was an SSL/TLS failure for the server" "The reason for the
> failure was: SSL Negotiation failed" Cyrus also reports the same
> thing in the logs.  I understand the point of '/novalidate-cert',
> meaning don't try to check the signing authority on the cert, and I
> could overlook things if that was the only error.

Use 

  openssl s_client -connect server.your.domain:993

to see openssl negotiate with your server.  The info you see (any
warnings, etc.) may give you clues about what specifically Pine is
complaining about.

Alternatively, use

  openssl x509 -text <path/to/my/sslcert.pem

for both the server that Pine is happy with, and the one it is unhappy
with, and compare the output by hand... what attributes are different
or missing in your new self-signed cert?

Longer term, you might want to create your own CA and sign the server
hot cert with that CA.  Then provide your public CA cert to Pine and,
theoretically, you won't need "/novalidate-cert"

If you have it around, connecting with mutt rather than Pine might
also be a useful test?

Jonathan
--
Jonathan Marsden       	| Internet: jonathan at xc.org	| Making electronic 
1252 Judson Street  	| Phone: +1 (909) 795-3877	| communications work 
Redlands, CA 92374     	| Fax:   +1 (909) 795-0327	| reliably for Christian 
USA            		| http://www.xc.org/jonathan	| missions worldwide 




More information about the Info-cyrus mailing list