STARTTLS on Cyrus IMAPd 2.3.11

Andrew Morgan morgan at orst.edu
Thu Mar 20 12:20:31 EDT 2008



On Wed, 19 Mar 2008, Jorey Bump wrote:

> Wesley Craig wrote, at 03/18/2008 08:48 PM:
>> On 18 Mar 2008, at 17:55, Jorey Bump wrote:
>>> http://lists.andrew.cmu.edu/pipermail/info-cyrus/2008-January/028210.html
>>
>> Do you use client certificates?  Because the message you're quoting is
>> about someone who does:
>>
>>     http://lists.andrew.cmu.edu/pipermail/info-cyrus/2008-January/028124.html
>
> I guess the title of that thread pointed at the problem: "2.3.11
> STARTTLS broken if tls_ca_file is defined". But I'm almost sure I tried
> undefining tls_ca_file as soon as I saw that. Anyway, removing
> tls_ca_file from imapd.conf has solved my problem.
>
> Thanks for the help.

Just for reference, I'm using the following TLS settings with 2.3.11 just 
fine:

tls_ca_file: /etc/ssl/certs/thawte-premium.pem
tls_ca_path: /etc/ssl/certs
tls_cert_file: /etc/ssl/certs/imap.onid.oregonstate.edu.crt
tls_key_file: /etc/ssl/certs/imap.onid.oregonstate.edu.key

I only bothered adding tls_ca_file because I kept getting worthless log 
messages on every new connection:

   TLS server engine: No CA file specified. Client side certs may not work

We are not using SSL client certificates, so tls_ca_file is irrelevant in 
our situation.

Maybe the format of your CA bundle file is not what openssl expects?  Do 
you get valid output when you run:

   openssl x509 -in /etc/ssl/certs/<your-ca-bundle> -text


 	Andy


More information about the Info-cyrus mailing list