Expire (manually) TLS sessions?
Jeff Blaine
jblaine at kickflop.net
Fri Jan 16 09:43:02 EST 2009
A new cert did not solve the problem:
Jan 16 09:41:30 imapsrv imap[12264]: [ID 921384 local6.debug] accepted
connection
Jan 16 09:41:30 imapsrv imap[12264]: [ID 192010 local6.debug] wrong
version number in SSL_accept() -> fail
Jan 16 09:41:30 imapsrv imap[12264]: [ID 239158 local6.notice] STARTTLS
negotiation failed: bva-172.our.com
Jeff Blaine wrote:
> Sebastian Hagedorn wrote:
>> --On 16. Januar 2009 07:48:18 -0500 Jeff Blaine <jblaine at kickflop.net>
>> wrote:
>>
>>> More info after increasing local6.info to local6.debug for
>>> syslog:
>>>
>>> accepted connection
>>> imapd:Loading hard-coded DH parameters
>>> SSL_accept() incomplete -> wait
>>> decryption failed or bad record mac in SSL_accept() -> fail
>>> STARTTLS negotiation failed: bva-172.our.com
>>>
>>> Our TLS all worked fine before the upgrade :(
>>
>> I'm pretty sure the tls_cache is a red herring. The SSL/TLS code
>> changed a lot between 2.2 and 2.3. My guess would be that there lies
>> the actual problem.
>>
>> I wonder where the line "Loading hard-coded DH parameters" comes from.
>> I haven't seen that before. Anyway, I guess you need an SSL expert to
>> make sense of that. How old is your certificate? Maybe the new code
>> doesn't like it? Did you build the binary yourself or where did you
>> get it?
>
> The certificate is 1 year 10 months old.
>
> Everything was built by hand (as it was with our 2.2.12
> install as well).
>
> I'll try redoing the cert.
>
More information about the Info-cyrus
mailing list