2.3.11 STARTTLS broken if tls_ca_file is defined

Sebastian Hagedorn Hagedorn at uni-koeln.de
Mon Dec 17 06:56:46 EST 2007

--On 16. Dezember 2007 15:08:46 +0100 Wolfgang Breyha <wbreyha at gmx.net> 

> I always had
> tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
> defined in my imapd.conf.

FWIW: I have a tls_ca_file defined as well.

> Since I updated to 2.3.11 yesterday STARTTLS didn't work anymore because
> negotiation failed and timed out. $CLIENT was waiting for more packets
> from server AFAIS in a tcpdump, where $CLIENT is Thunderbird, gnutls-cli,
> apple-mail.

Hm, I don't run 2.3.11 proper, but my locally built version contains the 
modified tls.c etc. So I would think that it should behave the same way as 
2.3.11, but of course I can't be sure. And here STARTTLS works fine.

> IMAPS always worked...so I searched for differences in the code and found
> the "client cert verfication" code triggered by askcert == 1 in tls.c:738

Hm, do you use client certificates? We don't ...

> Log always showed:
> 00:00 imap[8508]: accepted connection
>   +02 imap[8508]: SSL_accept() incomplete -> wait <- here the client waits
>   +23 imap[8508]: EOF in SSL_accept() -> fail     <- here client sent FIN

That code is where all the changes were made. It's conceivable that there 
are cases where the new approach breaks.
     .:.Sebastian Hagedorn - RZKR-R1 (Gebäude 52), Zimmer 18.:.
Zentrum für angewandte Informatik - Universitätsweiter Service RRZK
.:.Universität zu Köln / Cologne University - ✆ +49-221-478-5587.:.
                   .:.:.:.Skype: shagedorn.:.:.:.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20071217/e1b46aa2/attachment.bin 

More information about the Info-cyrus mailing list