2.3.11 STARTTLS broken if tls_ca_file is defined
Sebastian Hagedorn
Hagedorn at uni-koeln.de
Mon Dec 17 06:56:46 EST 2007
--On 16. Dezember 2007 15:08:46 +0100 Wolfgang Breyha <wbreyha at gmx.net>
wrote:
> I always had
> tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
> defined in my imapd.conf.
FWIW: I have a tls_ca_file defined as well.
> Since I updated to 2.3.11 yesterday STARTTLS didn't work anymore because
> negotiation failed and timed out. $CLIENT was waiting for more packets
> from server AFAIS in a tcpdump, where $CLIENT is Thunderbird, gnutls-cli,
> apple-mail.
Hm, I don't run 2.3.11 proper, but my locally built version contains the
modified tls.c etc. So I would think that it should behave the same way as
2.3.11, but of course I can't be sure. And here STARTTLS works fine.
> IMAPS always worked...so I searched for differences in the code and found
> the "client cert verfication" code triggered by askcert == 1 in tls.c:738
Hm, do you use client certificates? We don't ...
> Log always showed:
> 00:00 imap[8508]: accepted connection
> +02 imap[8508]: SSL_accept() incomplete -> wait <- here the client waits
> +23 imap[8508]: EOF in SSL_accept() -> fail <- here client sent FIN
That code is where all the changes were made. It's conceivable that there
are cases where the new approach breaks.
--
.:.Sebastian Hagedorn - RZKR-R1 (Gebäude 52), Zimmer 18.:.
Zentrum für angewandte Informatik - Universitätsweiter Service RRZK
.:.Universität zu Köln / Cologne University - ✆ +49-221-478-5587.:.
.:.:.:.Skype: shagedorn.:.:.:.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20071217/e1b46aa2/attachment.bin
More information about the Info-cyrus
mailing list