STARTTLS on Cyrus IMAPd 2.3.11

Jorey Bump list at joreybump.com
Thu Mar 20 13:07:09 EDT 2008 

Andrew Morgan wrote, at 03/20/2008 12:20 PM:

> Just for reference, I'm using the following TLS settings with 2.3.11 
> just fine:
> 
> tls_ca_file: /etc/ssl/certs/thawte-premium.pem
> tls_ca_path: /etc/ssl/certs
> tls_cert_file: /etc/ssl/certs/imap.onid.oregonstate.edu.crt
> tls_key_file: /etc/ssl/certs/imap.onid.oregonstate.edu.key
> 
> I only bothered adding tls_ca_file because I kept getting worthless log 
> messages on every new connection:
> 
>   TLS server engine: No CA file specified. Client side certs may not work

Hah, now I'm getting them, too. :)

> We are not using SSL client certificates, so tls_ca_file is irrelevant 
> in our situation.
> 
> Maybe the format of your CA bundle file is not what openssl expects?  Do 
> you get valid output when you run:
> 
>   openssl x509 -in /etc/ssl/certs/<your-ca-bundle> -text

I'm not sure. There are no errors, but it only displays the first 
certificate in the bundle. This is true of my local bundle and any 
bundle included with the system by various applications.

On a lark, I pointed tls_ca_file to an old root certificate I once 
needed for a chained root. It contains only a single certificate, and 
STARTTLS connections on port 143 work when it is defined.

So, maybe bundles are no longer acceptable in tls_ca_file? I guess if 
one needs to use client certificates, tls_ca_file should contain a 
single root? If one needed to support multiple roots, perhaps use 
tls_ca_path instead? I guess I'll deal with those issues as they come, 
since I apparently don't need to define tls_ca_(file|path) at all for 
normal operation (unless I want to eliminate annoying log messages).

Thanks for the additional info, it helped reveal more details, but it 
would sure be nice to see some clarifying documentation. I still don't 
know why the behaviour changed between 2.3.7 to 2.3.11, and if it 
represents a fix or a potential bug. Why is the CA file checked if no 
client cert is presented (unless it's needed for SASL-IR)? I'll have to 
search the changelog or code when I have the time.

More information about the Info-cyrus mailing list