STARTTLS on Cyrus IMAPd 2.3.11
list at joreybump.com
Thu Mar 20 13:07:09 EDT 2008
Andrew Morgan wrote, at 03/20/2008 12:20 PM:
> Just for reference, I'm using the following TLS settings with 2.3.11
> just fine:
> tls_ca_file: /etc/ssl/certs/thawte-premium.pem
> tls_ca_path: /etc/ssl/certs
> tls_cert_file: /etc/ssl/certs/imap.onid.oregonstate.edu.crt
> tls_key_file: /etc/ssl/certs/imap.onid.oregonstate.edu.key
> I only bothered adding tls_ca_file because I kept getting worthless log
> messages on every new connection:
> TLS server engine: No CA file specified. Client side certs may not work
Hah, now I'm getting them, too. :)
> We are not using SSL client certificates, so tls_ca_file is irrelevant
> in our situation.
> Maybe the format of your CA bundle file is not what openssl expects? Do
> you get valid output when you run:
> openssl x509 -in /etc/ssl/certs/<your-ca-bundle> -text
I'm not sure. There are no errors, but it only displays the first
certificate in the bundle. This is true of my local bundle and any
bundle included with the system by various applications.
On a lark, I pointed tls_ca_file to an old root certificate I once
needed for a chained root. It contains only a single certificate, and
STARTTLS connections on port 143 work when it is defined.
So, maybe bundles are no longer acceptable in tls_ca_file? I guess if
one needs to use client certificates, tls_ca_file should contain a
single root? If one needed to support multiple roots, perhaps use
tls_ca_path instead? I guess I'll deal with those issues as they come,
since I apparently don't need to define tls_ca_(file|path) at all for
normal operation (unless I want to eliminate annoying log messages).
Thanks for the additional info, it helped reveal more details, but it
would sure be nice to see some clarifying documentation. I still don't
know why the behaviour changed between 2.3.7 to 2.3.11, and if it
represents a fix or a potential bug. Why is the CA file checked if no
client cert is presented (unless it's needed for SASL-IR)? I'll have to
search the changelog or code when I have the time.
More information about the Info-cyrus