STARTTLS on Cyrus IMAPd 2.3.11
wes at umich.edu
Thu Mar 20 13:57:58 EDT 2008
On 20 Mar 2008, at 13:07, Jorey Bump wrote:
> Andrew Morgan wrote, at 03/20/2008 12:20 PM:
>> Maybe the format of your CA bundle file is not what openssl
>> expects? Do
>> you get valid output when you run:
>> openssl x509 -in /etc/ssl/certs/<your-ca-bundle> -text
> I'm not sure. There are no errors, but it only displays the first
> certificate in the bundle. This is true of my local bundle and any
> bundle included with the system by various applications.
The SSL_CTX_load_verify_locations() function loads everything in the
> On a lark, I pointed tls_ca_file to an old root certificate I once
> needed for a chained root. It contains only a single certificate, and
> STARTTLS connections on port 143 work when it is defined.
This suggests a specific problem with the cert bundle you're using.
> Why is the CA file checked if no
> client cert is presented (unless it's needed for SASL-IR)? I'll
> have to
> search the changelog or code when I have the time.
The way the code is currently written, if you're using imaps, the
server will be implicitly prepared to accept a client cert. Of
course, if no CAfile is defined, you'll get that spurious error!
There seems to be an assuption that CAfile implies something
different than CApath -- it doesn't. I think the code should be
changed to not tell the client that a cert will be accepted if
neither CAfile nor CApath is defined.
Does your Thunderbird have access to any client certificates? Since
the server will advertise that it accepts them, even tho it probably
can't use them, I wonder if this isn't the cause of your version
mismatch error message.
More information about the Info-cyrus