Expire (manually) TLS sessions?
Jeff Blaine
jblaine at kickflop.net
Fri Jan 16 08:16:36 EST 2009
Sebastian Hagedorn wrote:
> --On 16. Januar 2009 07:48:18 -0500 Jeff Blaine <jblaine at kickflop.net>
> wrote:
>
>> More info after increasing local6.info to local6.debug for
>> syslog:
>>
>> accepted connection
>> imapd:Loading hard-coded DH parameters
>> SSL_accept() incomplete -> wait
>> decryption failed or bad record mac in SSL_accept() -> fail
>> STARTTLS negotiation failed: bva-172.our.com
>>
>> Our TLS all worked fine before the upgrade :(
>
> I'm pretty sure the tls_cache is a red herring. The SSL/TLS code changed
> a lot between 2.2 and 2.3. My guess would be that there lies the actual
> problem.
>
> I wonder where the line "Loading hard-coded DH parameters" comes from. I
> haven't seen that before. Anyway, I guess you need an SSL expert to make
> sense of that. How old is your certificate? Maybe the new code doesn't
> like it? Did you build the binary yourself or where did you get it?
The certificate is 1 year 10 months old.
Everything was built by hand (as it was with our 2.2.12
install as well).
I'll try redoing the cert.
More information about the Info-cyrus
mailing list