2.3.11 STARTTLS broken if tls_ca_file is defined

Sebastian Hagedorn Hagedorn at uni-koeln.de
Tue Jan 15 07:53:04 EST 2008 

Hi,

please don't write to me personally but keep this on the list instead.

--On 15. Januar 2008 10:32:16 +0100 jc.duss59 at laposte.net wrote:

> Here is my log, when i try to open a connection in TLS.
>
> Jan 15 10:29:54 imaptest master[1024]: about to exec
> /usr/local/cyrus/bin/imapd Jan 15 10:29:54 imaptest imap[1024]: executed
> Jan 15 10:29:54 imaptest imap[1024]: accepted connection
> Jan 15 10:29:54 imaptest imap[1024]: imapd:Loading hard-coded DH
> parameters Jan 15 10:29:54 imaptest imap[1024]: wrong version number in
> SSL_accept() -> fail Jan 15 10:29:54 imaptest imap[1024]: STARTTLS
> negotiation failed: [10.1.45.1] Jan 15 10:29:55 imaptest imap[1024]:
> accepted connection
> Jan 15 10:29:55 imaptest imap[1024]: wrong version number in SSL_accept()
> -> fail Jan 15 10:29:55 imaptest imap[1024]: STARTTLS negotiation failed:
> [10.1.45.1]
>
> Thanks a lot for further information.

OK, I guess that's helpful. The reason for the failure is this line:

wrong version number in SSL_accept() -> fail

Now the question is why that happens. This is the code that logs the line:

        case SSL_ERROR_SSL:
            err = ERR_get_error();
            if (err == 0) {
                syslog(LOG_DEBUG, "protocol error in SSL_accept() -> fail");
            } else {
                syslog(LOG_DEBUG, "%s in SSL_accept() -> fail",
                       ERR_reason_error_string(err));
            }
            break;

So the server notes an SSL error, logs it and drops the connection. The 
cause for the error seems to be something like this:

"Versions in client/server SSL records do not agree.
Probably your client sends SSL2 client_hello handshake
message and server is configured only for SSL3/TLS1.
In this situation server does not accept SSL2
client_hello what is being manifested by "wrong version
number" error.
To resolve this error you may disable SSL2 on client
or enable SSL2 handshake on server.
tcpdump output from wrong session handshake
may be helpful too."

What I don't understand is how it could've worked in earlier versions. 
Anyway, could this be a client issue? Can you try other clients to see if 
they handle this differently? Can you disable SSLv2 in your client?
-- 
     .:.Sebastian Hagedorn - RZKR-R1 (Gebäude 52), Zimmer 18.:.
Zentrum für angewandte Informatik - Universitätsweiter Service RRZK
.:.Universität zu Köln / Cologne University - ✆ +49-221-478-5587.:.
                   .:.:.:.Skype: shagedorn.:.:.:.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20080115/e60fd9a8/attachment.bin

More information about the Info-cyrus mailing list