2.3.11 STARTTLS broken if tls_ca_file is defined

Patrick Boutilier boutilpj at ednet.ns.ca
Tue Jan 15 13:08:01 EST 2008 

Sebastian Hagedorn wrote:
> Hi,
> 
> please don't write to me personally but keep this on the list instead.
> 
> --On 15. Januar 2008 10:32:16 +0100 jc.duss59 at laposte.net wrote:
> 
>> Here is my log, when i try to open a connection in TLS.
>>
>> Jan 15 10:29:54 imaptest master[1024]: about to exec
>> /usr/local/cyrus/bin/imapd Jan 15 10:29:54 imaptest imap[1024]: executed
>> Jan 15 10:29:54 imaptest imap[1024]: accepted connection
>> Jan 15 10:29:54 imaptest imap[1024]: imapd:Loading hard-coded DH
>> parameters Jan 15 10:29:54 imaptest imap[1024]: wrong version number in
>> SSL_accept() -> fail Jan 15 10:29:54 imaptest imap[1024]: STARTTLS
>> negotiation failed: [10.1.45.1] Jan 15 10:29:55 imaptest imap[1024]:
>> accepted connection
>> Jan 15 10:29:55 imaptest imap[1024]: wrong version number in SSL_accept()
>> -> fail Jan 15 10:29:55 imaptest imap[1024]: STARTTLS negotiation failed:
>> [10.1.45.1]
>>
>> Thanks a lot for further information.
> 
> OK, I guess that's helpful. The reason for the failure is this line:
> 
> wrong version number in SSL_accept() -> fail
> 
> Now the question is why that happens. This is the code that logs the line:
> 
>        case SSL_ERROR_SSL:
>            err = ERR_get_error();
>            if (err == 0) {
>                syslog(LOG_DEBUG, "protocol error in SSL_accept() -> fail");
>            } else {
>                syslog(LOG_DEBUG, "%s in SSL_accept() -> fail",
>                       ERR_reason_error_string(err));
>            }
>            break;
> 
> So the server notes an SSL error, logs it and drops the connection. The 
> cause for the error seems to be something like this:
> 
> "Versions in client/server SSL records do not agree.
> Probably your client sends SSL2 client_hello handshake
> message and server is configured only for SSL3/TLS1.
> In this situation server does not accept SSL2
> client_hello what is being manifested by "wrong version
> number" error.
> To resolve this error you may disable SSL2 on client
> or enable SSL2 handshake on server.
> tcpdump output from wrong session handshake
> may be helpful too."
> 
> What I don't understand is how it could've worked in earlier versions. 
> Anyway, could this be a client issue? Can you try other clients to see 
> if they handle this differently? Can you disable SSLv2 in your client?
> 

I had the same problem this morning after running 2.3.11 for over nine 
days. In my case restarting Thunderbird fixed my problem for now.



Jan 15 13:28:42 student imap[9814]: wrong version number in SSL_accept() 
-> fail

Jan 15 13:28:42 student imap[9814]: STARTTLS negotiation failed: 
TradeMart-2.EDnet.NS.CA [142.227.51.61]


> 
> ------------------------------------------------------------------------
> 
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: boutilpj.vcf
Type: text/x-vcard
Size: 286 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20080115/56da20c0/attachment.vcf

More information about the Info-cyrus mailing list