SSL with OperaMail leads to STARTTLS negotiation failed in the
logs ?
Christian Schulte
cs at schulte.it
Sat May 10 23:07:44 EDT 2003
Stephen L. Ulmer wrote:
> "cs" == Christian Schulte <cs at schulte.it> writes:
>
> cs> Hello, I just installed Opera on Windows because someone
> cs> reported problems with Opera's imapclient M2 if used with
> cs> SSL. Enabling the "use TLS" checkbox in Opera's account
> cs> configuration dialog does not lead to Opera using the desired
> cs> port 993 ! Opera remains using port 143 and then fails to
> cs> connect. In the logfiles I see entries like:
>
>If Opera is using TLS (as opposed to IMAP over SSL) then it *should*
>be connecting to port 143, then issuing a STARTTLS.
>
I just read that in RFC2595. So normally Opera should not have any
problems with STARTTLS on port 143 and something really is wrong with my
installation!
>By chance is your IMAP server trying to use the TLS client cert for
>authentication?
>
Don't know! Here is my imapd.conf:
smtp:/var/httpd/CS20020307/pub/rams.rent-a-mailserver.de# cat
/etc/imapd.conf
configdirectory: /var/imap
partition-default: /var/spool/imap
sievedir: /var/spool/sieve
servername: somename
admins: someadmins
defaultdomain: somedomain
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: mysql
sasl_allowanonymouslogin: no
sasl_allowplaintext: yes
sasl_mech_list: PLAIN LOGIN
sasl_mysql_user: someuser
sasl_mysql_passwd: somepass
sasl_mysql_hostnames: localhost
sasl_mysql_database: admin
sasl_mysql_statement: select password from SASLUser where login='%u' and
domain='%r' and IMAP='YES'
tls_cert_file: /var/imap/imap.crt
tls_key_file: /var/imap/imap.key
tls_ca_file: /usr/lib/ssl/demoCA/cacert.pem
idlesocket: /var/imap/socket/idle
unixhierarchysep: yes
virtdomains: yes
altnamespace: on
sharedprefix: Teamordner
userprefix: Accounts
unix_group_enable: 0
umask: 007
imapidresponse: no
logtimestamps: 1
lmtp_over_quota_perm_failure: 1
autocreatequota: -1
How can it be configured then ?
>If you haven't issues the certs for that purpose
>(like we haven't here at UF, no PKI) then that would fail.
>
>
The only thing which deals with certificate type in my openssl.cnf is
# This is OK for an SSL server.
nsCertType = server
but this is only relevant for netscape 4 I think.
>I think I remember seeing that a self-signed client cert would fail
>TLS negotiation because a failed TLS authentication would cause the
>whole negotiation to fail. Now I can't remember why I was even
>looking at it...
>
>
I have setup a demoCA with openssl. I configured openssl.cnf to make
valid certificates which work even in netscape 4. I even plublish the
crl and have crlDistributionPoints set correctly in openssl.cnf. I
created new certificates using CA.pl -newreq-nodes for cyrus and signed
them with the demoCA cacert. So nothing self-signed for now, or ?
tls_cert_file: /var/imap/imap.crt = the certificate signed by tls_ca_file
tls_key_file: /var/imap/imap.key = the corressponding key unencrypted
tls_ca_file: /usr/lib/ssl/demoCA/cacert.pem = the ca certificate with
which all certificates get signed
So I have a self-signed ca certificate then and you mean that could be
the problem ?
--Christian
More information about the Info-cyrus
mailing list