Expire (manually) TLS sessions?

Jeff Blaine jblaine at kickflop.net
Fri Jan 16 10:19:51 EST 2009 

Outlook 2007 works.  Unfortunately, this is not an option
for us as our users use Thunderbird.

Jan 16 10:18:14 imapsrv imap[16000]: [ID 921384 local6.debug] accepted 
connection
Jan 16 10:18:14 imapsrv imap[16000]: [ID 636471 local6.notice] TLS 
server engine: cannot load CA data
Jan 16 10:18:14 imapsrv imap[16000]: [ID 286863 local6.notice] 
imapd:Loading hard-coded DH parameters
Jan 16 10:18:14 imapsrv imap[16000]: [ID 277171 local6.error] TLS server 
engine: No CA file specified. Client side certs may not work
Jan 16 10:18:15 imapsrv imap[16000]: [ID 574029 local6.debug] 
SSL_accept() incomplete -> wait
Jan 16 10:18:15 imapsrv imap[16000]: [ID 867439 local6.debug] 
SSL_accept() succeeded -> done
Jan 16 10:18:15 imapsrv imap[16000]: [ID 379946 local6.notice] starttls: 
TLSv1 with cipher RC4-MD5 (128/128 bits new) no authentication
Jan 16 10:18:15 imapsrv imap[16000]: [ID 277583 local6.notice] login: 
bva-172.our.com jblaine plaintext+TLS User logged in


Jeff Blaine wrote:
> With the tls_ca_file line removed, Thunderbird asked me
> to specify a client certificate, I chose my cert and
> entered my password to access it.
> 
> Jan 16 10:08:33 imapsrv imap[15668]: [ID 921384 local6.debug] accepted 
> connection
> Jan 16 10:08:33 imapsrv imap[15668]: [ID 636471 local6.notice] TLS 
> server engine: cannot load CA data
> Jan 16 10:08:33 imapsrv imap[15668]: [ID 286863 local6.notice] 
> imapd:Loading hard-coded DH parameters
> Jan 16 10:08:33 imapsrv imap[15668]: [ID 277171 local6.error] TLS server 
> engine: No CA file specified. Client side certs may not work
> Jan 16 10:08:33 imapsrv imap[15668]: [ID 574029 local6.debug] 
> SSL_accept() incomplete -> wait
> Jan 16 10:08:43 imapsrv imap[15668]: [ID 160154 local6.debug] Doing a 
> peer verify
> Jan 16 10:08:43 imapsrv imap[15668]: [ID 227675 local6.error] verify 
> error:num=20:unable to get local issuer certificate
> Jan 16 10:08:43 imapsrv imap[15668]: [ID 192010 local6.debug] no 
> certificate returned in SSL_accept() -> fail
> Jan 16 10:08:43 imapsrv imap[15668]: [ID 239158 local6.notice] STARTTLS 
> negotiation failed: bva-172.our.com
> 
> Sebastian Hagedorn wrote:
>> --On 16. Januar 2009 09:43:02 -0500 Jeff Blaine <jblaine at kickflop.net> 
>> wrote:
>>
>>> A new cert did not solve the problem:
>>>
>>> Jan 16 09:41:30 imapsrv imap[12264]: [ID 921384 local6.debug] accepted
>>> connection
>>> Jan 16 09:41:30 imapsrv imap[12264]: [ID 192010 local6.debug] wrong
>>> version number in SSL_accept() -> fail
>> But it results in a different error message.
>>
>>> Jan 16 09:41:30 imapsrv imap[12264]: [ID 239158 local6.notice] STARTTLS
>>> negotiation failed: bva-172.our.com
>> That reminds me of something. Try removing this line from your config:
>>
>> tls_ca_file:    /var/imap/ca.crt
>>
>> Also, try using different clients. IIRC, there is an issue specifically 
>> with Thunderbird and that setting. I don't remember the details, but you 
>> should be able to find them in the archives.
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>

More information about the Info-cyrus mailing list