STARTTLS on Cyrus IMAPd 2.3.11

Wesley Craig wes at
Thu Mar 20 13:57:58 EDT 2008

On 20 Mar 2008, at 13:07, Jorey Bump wrote:
> Andrew Morgan wrote, at 03/20/2008 12:20 PM:
>> Maybe the format of your CA bundle file is not what openssl  
>> expects?  Do
>> you get valid output when you run:
>>   openssl x509 -in /etc/ssl/certs/<your-ca-bundle> -text

> I'm not sure. There are no errors, but it only displays the first
> certificate in the bundle. This is true of my local bundle and any
> bundle included with the system by various applications.

The SSL_CTX_load_verify_locations() function loads everything in the  
file, tho.

> On a lark, I pointed tls_ca_file to an old root certificate I once
> needed for a chained root. It contains only a single certificate, and
> STARTTLS connections on port 143 work when it is defined.

This suggests a specific problem with the cert bundle you're using.

> Why is the CA file checked if no
> client cert is presented (unless it's needed for SASL-IR)? I'll  
> have to
> search the changelog or code when I have the time.

The way the code is currently written, if you're using imaps, the  
server will be implicitly prepared to accept a client cert.  Of  
course, if no CAfile is defined, you'll get that spurious error!   
There seems to be an assuption that CAfile implies something  
different than CApath -- it doesn't.  I think the code should be  
changed to not tell the client that a cert will be accepted if  
neither CAfile nor CApath is defined.

Does your Thunderbird have access to any client certificates?  Since  
the server will advertise that it accepts them, even tho it probably  
can't use them, I wonder if this isn't the cause of your version  
mismatch error message.


More information about the Info-cyrus mailing list