STARTTLS on Cyrus IMAPd 2.3.11

Jorey Bump list at joreybump.com
Thu Mar 20 14:36:01 EDT 2008 

Wesley Craig wrote, at 03/20/2008 01:57 PM:
> On 20 Mar 2008, at 13:07, Jorey Bump wrote:
>> On a lark, I pointed tls_ca_file to an old root certificate I once
>> needed for a chained root. It contains only a single certificate, and
>> STARTTLS connections on port 143 work when it is defined.
> 
> This suggests a specific problem with the cert bundle you're using.

I think you're right. I just tried all of the other bundles that came 
with the system and met with mixed results. The only one that worked 
that contained multiple certificates was provided with curl 7.16.2. It's 
definitely in a different format:

Cert Title
==========
MD5 Fingerprint: [fingerprint]
PEM Data:
-----BEGIN CERTIFICATE-----
[certificate in PEM format]
-----END CERTIFICATE-----
Certificate Ingredients:
[verbose data]

...more certs...

The ones that fail are simply bundles of the PEM data only:

-----BEGIN CERTIFICATE-----
[certificate in PEM format]
-----END CERTIFICATE-----

...more...

Cyrus 2.3.11 (and possibly other versions after 2.3.7) no longer seems 
to like these.

>> Why is the CA file checked if no
>> client cert is presented (unless it's needed for SASL-IR)? I'll have to
>> search the changelog or code when I have the time.
> 
> The way the code is currently written, if you're using imaps, the server 
> will be implicitly prepared to accept a client cert.  Of course, if no 
> CAfile is defined, you'll get that spurious error!  There seems to be an 
> assuption that CAfile implies something different than CApath -- it 
> doesn't.  I think the code should be changed to not tell the client that 
> a cert will be accepted if neither CAfile nor CApath is defined.

Does it? They're empty by default, which fixed my problem, so isn't that 
already the case?

> Does your Thunderbird have access to any client certificates?  Since the 
> server will advertise that it accepts them, even tho it probably can't 
> use them, I wonder if this isn't the cause of your version mismatch 
> error message.

Well, it's working with the curl bundle, so your earlier suspicion about 
the incompatible bundle bears out. I encountered the problem with both 
Thunderbird and imtest. Since imtest easily supports testing with client 
certificates, I'll try it out when I get a chance. It will be 
interesting to add some different local roots and test with multiple 
certificates. In the meantime, I'll just use the curl CA bundle as a 
matter of routine. Thanks for the help!

More information about the Info-cyrus mailing list