SSL with OperaMail leads to STARTTLS negotiation failed in the
logs ?
Stephen L. Ulmer
ulmer at ufl.edu
Sun May 11 12:04:45 EDT 2003
"cs" == Christian Schulte <cs at schulte.it> writes:
[...]
cs> So I have a self-signed ca certificate then and you mean that
cs> could be the problem ?
What I meant was that if you didn't issue client certificates and use
them for authentication, I thought that STARTTLS would fail. It's been
a long time since I looked at this, but I remember:
The protocol loop in imapd.c calls cmd_starttls() in response to a
STARTTLS verb. cmd_starttls calls tls_init-or-something with an
argument that says that the client CAN authenticate.
The result of that (or some other tls_* function) was "TLS encryption
is set-up, but the client has a self-signed cert". I thought that in
the place in the code where that happened you couldn't tell (or maybe
use) if that was good (TLS encryption only) or bad (TLS authentication
failed).
The same function is used whether an SSL connection is made to 993 or
a STARTTLS is issued on 143. I think I gave up because I wasn't sure I
could make a small change that would handle all the cases. Like, is
it okay to authenticate with a client cert on the SSL port? I think I
needed one more parameter and I wasn't comfortable enough to suggest
that at the time.
I should probably just shut up, since I haven't looked at this in
forever, I don't remember what I was looking at when I did look, I'm
not very familiar with TLS or SASL, I didn't report what I thought was
a problem when I found it, and I'm definitely speaking out of turn!
--
Stephen L. Ulmer ulmer at nersp.nerdc.ufl.edu
Senior Systems Programmer http://www.ulmer.org/
Northeast Regional Data Center VOX: (352) 392-2061
University of Florida FAX: (352) 392-9440
More information about the Info-cyrus
mailing list