SSL with OperaMail leads to STARTTLS negotiation failed in the
cs at schulte.it
Sat May 10 23:07:44 EDT 2003
Stephen L. Ulmer wrote:
> "cs" == Christian Schulte <cs at schulte.it> writes:
> cs> Hello, I just installed Opera on Windows because someone
> cs> reported problems with Opera's imapclient M2 if used with
> cs> SSL. Enabling the "use TLS" checkbox in Opera's account
> cs> configuration dialog does not lead to Opera using the desired
> cs> port 993 ! Opera remains using port 143 and then fails to
> cs> connect. In the logfiles I see entries like:
>If Opera is using TLS (as opposed to IMAP over SSL) then it *should*
>be connecting to port 143, then issuing a STARTTLS.
I just read that in RFC2595. So normally Opera should not have any
problems with STARTTLS on port 143 and something really is wrong with my
>By chance is your IMAP server trying to use the TLS client cert for
Don't know! Here is my imapd.conf:
sasl_mech_list: PLAIN LOGIN
sasl_mysql_statement: select password from SASLUser where login='%u' and
domain='%r' and IMAP='YES'
How can it be configured then ?
>If you haven't issues the certs for that purpose
>(like we haven't here at UF, no PKI) then that would fail.
The only thing which deals with certificate type in my openssl.cnf is
# This is OK for an SSL server.
nsCertType = server
but this is only relevant for netscape 4 I think.
>I think I remember seeing that a self-signed client cert would fail
>TLS negotiation because a failed TLS authentication would cause the
>whole negotiation to fail. Now I can't remember why I was even
>looking at it...
I have setup a demoCA with openssl. I configured openssl.cnf to make
valid certificates which work even in netscape 4. I even plublish the
crl and have crlDistributionPoints set correctly in openssl.cnf. I
created new certificates using CA.pl -newreq-nodes for cyrus and signed
them with the demoCA cacert. So nothing self-signed for now, or ?
tls_cert_file: /var/imap/imap.crt = the certificate signed by tls_ca_file
tls_key_file: /var/imap/imap.key = the corressponding key unencrypted
tls_ca_file: /usr/lib/ssl/demoCA/cacert.pem = the ca certificate with
which all certificates get signed
So I have a self-signed ca certificate then and you mean that could be
the problem ?
More information about the Info-cyrus