2.3.11 STARTTLS broken if tls_ca_file is defined

Janne Peltonen janne.peltonen at helsinki.fi
Thu Jan 3 08:34:15 EST 2008


I don't know whether this is related, but when I tried to upgrade my
frontends to 2.3.11 (from Simon's RPM) yesterday, I ran into quite a
mess. After abt half an hour of normal-looking operation, the imapproxy in my
Webmail server could no longer negotiate starttls:

--clip--
-n  2 17:24:48 pcn5.mappi.helsinki.fi p02/master[23992]: process started 
Jan  2 17:24:48 pcn5.mappi.helsinki.fi p02/ctl_cyrusdb[23993]: recovering cyrus databases 
Jan  2 17:25:04 pcn5.mappi.helsinki.fi p02/ctl_cyrusdb[23993]: skiplist: recovered /var/lib/imap/p02/mailboxes.db (652917 records, 100550228 bytes) in 16 seconds 
Jan  2 17:25:04 pcn5.mappi.helsinki.fi p02/ctl_cyrusdb[23993]: skiplist: recovered /var/lib/imap/p02/annotations.db (0 records, 144 bytes) in 0 seconds 
Jan  2 17:25:11 pcn5.mappi.helsinki.fi p02/ctl_cyrusdb[23993]: done recovering cyrus databases 
Jan  2 17:25:15 pcn5.mappi.helsinki.fi p02/tls_prune[24750]: skiplist: recovered /var/lib/imap/p02/tls_sessions.db (11933 records, 5112508 bytes) in 0 seconds 
Jan  2 17:25:16 pcn5.mappi.helsinki.fi p02/tls_prune[24750]: tls_prune: purged 24 out of 11933 entries 
Jan  2 17:25:16 pcn5.mappi.helsinki.fi p02/master[23992]: ready for work 
Jan  2 17:25:16 pcn5.mappi.helsinki.fi p02/ctl_cyrusdb[24752]: checkpointing cyrus databases 
Jan  2 17:25:16 pcn5.mappi.helsinki.fi p02/lmtpa[24758]: skiplist: recovered /var/lib/imap/p02/deliver.db (0 records, 144 bytes) in 0 seconds 
Jan  2 17:25:16 pcn5.mappi.helsinki.fi p02/mupdate[24759]: successful mupdate connection to im.mappi.helsinki.fi 
Jan  2 17:25:16 pcn5.mappi.helsinki.fi p02/mupdate[24759]: unready for connections 
Jan  2 17:25:16 pcn5.mappi.helsinki.fi p02/mupdate[24759]: synchronizing mailbox list with master mupdate server 
Jan  2 17:25:16 pcn5.mappi.helsinki.fi p02/imap[24753]: imapd:Loading hard-coded DH parameters 
Jan  2 17:25:16 pcn5.mappi.helsinki.fi p02/imap[24774]: imapd:Loading hard-coded DH parameters 
Jan  2 17:25:17 pcn5.mappi.helsinki.fi p02/ctl_cyrusdb[24752]: done checkpointing cyrus databases 
Jan  2 17:25:17 pcn5.mappi.helsinki.fi p02/imap[24753]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication 
Jan  2 17:25:17 pcn5.mappi.helsinki.fi p02/imap[24783]: imapd:Loading hard-coded DH parameters 
Jan  2 17:25:17 pcn5.mappi.helsinki.fi p02/imap[24753]: login: homunculus.it.helsinki.fi [128.214.205.36] jicheng plaintext+TLS User logged in 
Jan  2 17:25:17 pcn5.mappi.helsinki.fi p02/imap[24784]: imapd:Loading hard-coded DH parameters 
Jan  2 17:25:19 pcn5.mappi.helsinki.fi p02/imap[24769]: imapd:Loading hard-coded DH parameters 
Jan  2 17:25:19 pcn5.mappi.helsinki.fi p02/imap[24892]: imapd:Loading hard-coded DH parameters 
Jan  2 17:25:20 pcn5.mappi.helsinki.fi p02/imap[24766]: imapd:Loading hard-coded DH parameters 
Jan  2 17:25:20 pcn5.mappi.helsinki.fi p02/imap[24763]: imapd:Loading hard-coded DH parameters 
Jan  2 17:25:20 pcn5.mappi.helsinki.fi p02/imap[24763]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication 
Jan  2 17:25:20 pcn5.mappi.helsinki.fi p02/imap[24763]: login: homunculus.it.helsinki.fi [128.214.205.36] ksotala plaintext+TLS User logged in 
Jan  2 17:25:20 pcn5.mappi.helsinki.fi p02/imap[25225]: imapd:Loading hard-coded DH parameters 
Jan  2 17:25:21 pcn5.mappi.helsinki.fi p02/imap[25226]: imapd:Loading hard-coded DH parameters 
[...]
Jan  2 17:55:16 pcn5.mappi.helsinki.fi p02/imap[24774]: STARTTLS negotiation failed: homunculus.it.helsinki.fi [128.214.205.36] 
Jan  2 17:55:16 pcn5.mappi.helsinki.fi p02/imap[24774]: idle for too long, closing connection 
Jan  2 17:55:17 pcn5.mappi.helsinki.fi p02/imap[24783]: STARTTLS negotiation failed: homunculus.it.helsinki.fi [128.214.205.36] 
Jan  2 17:55:17 pcn5.mappi.helsinki.fi p02/imap[24783]: idle for too long, closing connection 
Jan  2 17:55:17 pcn5.mappi.helsinki.fi p02/imap[24784]: STARTTLS negotiation failed: homunculus.it.helsinki.fi [128.214.205.36] 
Jan  2 17:55:17 pcn5.mappi.helsinki.fi p02/imap[24784]: idle for too long, closing connection 
Jan  2 17:55:19 pcn5.mappi.helsinki.fi p02/imap[24769]: STARTTLS negotiation failed: homunculus.it.helsinki.fi [128.214.205.36] 
Jan  2 17:55:19 pcn5.mappi.helsinki.fi p02/imap[24769]: idle for too long, closing connection 
Jan  2 17:55:19 pcn5.mappi.helsinki.fi p02/imap[24892]: STARTTLS negotiation failed: lemure.it.helsinki.fi [128.214.205.35] 
Jan  2 17:55:19 pcn5.mappi.helsinki.fi p02/imap[24892]: idle for too long, closing connection 
Jan  2 17:55:20 pcn5.mappi.helsinki.fi p02/imap[24766]: STARTTLS negotiation failed: homunculus.it.helsinki.fi [128.214.205.36] 
Jan  2 17:55:20 pcn5.mappi.helsinki.fi p02/imap[24766]: idle for too long, closing connection 
Jan  2 17:55:20 pcn5.mappi.helsinki.fi p02/imap[25225]: STARTTLS negotiation failed: homunculus.it.helsinki.fi [128.214.205.36] 
Jan  2 17:55:20 pcn5.mappi.helsinki.fi p02/imap[25225]: idle for too long, closing connection 
Jan  2 17:55:21 pcn5.mappi.helsinki.fi p02/imap[25226]: STARTTLS negotiation failed: homunculus.it.helsinki.fi [128.214.205.36] 
Jan  2 17:55:21 pcn5.mappi.helsinki.fi p02/imap[25226]: idle for too long, closing connection 
Jan  2 17:55:21 pcn5.mappi.helsinki.fi p02/imap[24762]: STARTTLS negotiation failed: homunculus.it.helsinki.fi [128.214.205.36] 
Jan  2 17:55:21 pcn5.mappi.helsinki.fi p02/imap[24762]: idle for too long, closing connection 
-clip--

There are occasional successful logins from other clients in between:

--clip--
Jan  2 17:56:23 pcn5.mappi.helsinki.fi p02/imap[27608]: STARTTLS negotiation failed: homunculus.it.helsinki.fi [128.214.205.36] 
Jan  2 17:56:23 pcn5.mappi.helsinki.fi p02/imap[27608]: idle for too long, closing connection 
Jan  2 17:56:24 pcn5.mappi.helsinki.fi p02/imaps[15563]: imapd:Loading hard-coded DH parameters 
Jan  2 17:56:24 pcn5.mappi.helsinki.fi p02/imaps[15563]: starttls: TLSv1 with cipher AES128-SHA (128/128 bits new) no authentication 
Jan  2 17:56:25 pcn5.mappi.helsinki.fi p02/imaps[15563]: login: dsl-hkibras-fe27f900-71.dhcp.inet.fi [84.249.39.71] prisberg plaintext+TLS User logged in 
Jan  2 17:56:26 pcn5.mappi.helsinki.fi p02/imap[27695]: STARTTLS negotiation failed: homunculus.it.helsinki.fi [128.214.205.36] 
Jan  2 17:56:26 pcn5.mappi.helsinki.fi p02/imap[27695]: idle for too long, closing connection 
Jan  2 17:56:26 pcn5.mappi.helsinki.fi p02/imap[27625]: STARTTLS negotiation failed: homunculus.it.helsinki.fi [128.214.205.36] 
Jan  2 17:56:26 pcn5.mappi.helsinki.fi p02/imap[27625]: idle for too long, closing connection 
Jan  2 17:56:27 pcn5.mappi.helsinki.fi p02/imap[27708]: STARTTLS negotiation failed: homunculus.it.helsinki.fi [128.214.205.36] 
Jan  2 17:56:27 pcn5.mappi.helsinki.fi p02/imap[27708]: idle for too long, closing connection 
Jan  2 17:56:28 pcn5.mappi.helsinki.fi p02/imap[27690]: STARTTLS negotiation failed: homunculus.it.helsinki.fi [128.214.205.36] 
Jan  2 17:56:28 pcn5.mappi.helsinki.fi p02/imap[27690]: idle for too long, closing connection 
Jan  2 17:56:29 pcn5.mappi.helsinki.fi p02/imap[27625]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication 
Jan  2 17:56:29 pcn5.mappi.helsinki.fi p02/imap[27625]: login: homunculus.it.helsinki.fi [128.214.205.36] tanurmi plaintext+TLS User logged in 
Jan  2 17:56:30 pcn5.mappi.helsinki.fi p02/imap[27710]: STARTTLS negotiation failed: homunculus.it.helsinki.fi [128.214.205.36] 
Jan  2 17:56:30 pcn5.mappi.helsinki.fi p02/imap[27710]: idle for too long, closing connection 
Jan  2 17:56:47 pcn5.mappi.helsinki.fi p02/imap[19074]: imapd:Loading hard-coded DH parameters 
Jan  2 17:56:49 pcn5.mappi.helsinki.fi p02/imaps[19160]: imapd:Loading hard-coded DH parameters 
Jan  2 17:56:49 pcn5.mappi.helsinki.fi p02/imaps[19160]: starttls: TLSv1 with cipher RC4-MD5 (128/128 bits reused) no authentication 
Jan  2 17:56:49 pcn5.mappi.helsinki.fi p02/imaps[19160]: login: a88-112-37-168.elisa-laajakaista.fi [88.112.37.168] teppo plaintext+TLS User logged in 
Jan  2 17:56:49 pcn5.mappi.helsinki.fi p02/imaps[7449]: starttls: TLSv1 with cipher RC4-MD5 (128/128 bits reused) no authentication 
Jan  2 17:56:49 pcn5.mappi.helsinki.fi p02/imaps[7449]: login: a88-112-37-168.elisa-laajakaista.fi [88.112.37.168] teppo plaintext+TLS User logged in 
Jan  2 17:56:55 pcn5.mappi.helsinki.fi p02/imap[27607]: STARTTLS negotiation failed: homunculus.it.helsinki.fi [128.214.205.36] 
--clip--

(homunculus and lemure are the webmail/imapproxy servers).

So I was forced to downgrade the frontends back to the previously-used version
(2.3.8-8 from Simon, with the proxyd-disable-referral patch added locally).

Any ideas what might be wrong? Something seems to get full and stop working...
(I have the tls_ca_file defined, too.) I'm not even sure whether this is really
a bug in Cyrus or Imapproxy.


--Janne

On Mon, Dec 17, 2007 at 12:56:46PM +0100, Sebastian Hagedorn wrote:
> --On 16. Dezember 2007 15:08:46 +0100 Wolfgang Breyha <wbreyha at gmx.net> 
> wrote:
> 
> >I always had
> >tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
> >defined in my imapd.conf.
> 
> FWIW: I have a tls_ca_file defined as well.
> 
> >Since I updated to 2.3.11 yesterday STARTTLS didn't work anymore because
> >negotiation failed and timed out. $CLIENT was waiting for more packets
> >from server AFAIS in a tcpdump, where $CLIENT is Thunderbird, gnutls-cli,
> >apple-mail.
> 
> Hm, I don't run 2.3.11 proper, but my locally built version contains the 
> modified tls.c etc. So I would think that it should behave the same way as 
> 2.3.11, but of course I can't be sure. And here STARTTLS works fine.
> 
> >IMAPS always worked...so I searched for differences in the code and found
> >the "client cert verfication" code triggered by askcert == 1 in tls.c:738
> 
> Hm, do you use client certificates? We don't ...
> 
> >Log always showed:
> >00:00 imap[8508]: accepted connection
> >  +02 imap[8508]: SSL_accept() incomplete -> wait <- here the client waits
> >  +23 imap[8508]: EOF in SSL_accept() -> fail     <- here client sent FIN
> 
> That code is where all the changes were made. It's conceivable that there 
> are cases where the new approach breaks.
> -- 
>     .:.Sebastian Hagedorn - RZKR-R1 (Gebäude 52), Zimmer 18.:.
> Zentrum für angewandte Informatik - Universitätsweiter Service RRZK
> .:.Universität zu Köln / Cologne University - ✆ +49-221-478-5587.:.
>                   .:.:.:.Skype: shagedorn.:.:.:.



> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

-- 
Janne Peltonen <janne.peltonen at helsinki.fi>


More information about the Info-cyrus mailing list