STARTTLS on Cyrus IMAPd 2.3.11
Andrew Morgan
morgan at orst.edu
Thu Mar 20 12:20:31 EDT 2008
On Wed, 19 Mar 2008, Jorey Bump wrote:
> Wesley Craig wrote, at 03/18/2008 08:48 PM:
>> On 18 Mar 2008, at 17:55, Jorey Bump wrote:
>>> http://lists.andrew.cmu.edu/pipermail/info-cyrus/2008-January/028210.html
>>
>> Do you use client certificates? Because the message you're quoting is
>> about someone who does:
>>
>> http://lists.andrew.cmu.edu/pipermail/info-cyrus/2008-January/028124.html
>
> I guess the title of that thread pointed at the problem: "2.3.11
> STARTTLS broken if tls_ca_file is defined". But I'm almost sure I tried
> undefining tls_ca_file as soon as I saw that. Anyway, removing
> tls_ca_file from imapd.conf has solved my problem.
>
> Thanks for the help.
Just for reference, I'm using the following TLS settings with 2.3.11 just
fine:
tls_ca_file: /etc/ssl/certs/thawte-premium.pem
tls_ca_path: /etc/ssl/certs
tls_cert_file: /etc/ssl/certs/imap.onid.oregonstate.edu.crt
tls_key_file: /etc/ssl/certs/imap.onid.oregonstate.edu.key
I only bothered adding tls_ca_file because I kept getting worthless log
messages on every new connection:
TLS server engine: No CA file specified. Client side certs may not work
We are not using SSL client certificates, so tls_ca_file is irrelevant in
our situation.
Maybe the format of your CA bundle file is not what openssl expects? Do
you get valid output when you run:
openssl x509 -in /etc/ssl/certs/<your-ca-bundle> -text
Andy
More information about the Info-cyrus
mailing list