Expire (manually) TLS sessions?

Jorey Bump list at joreybump.com
Fri Jan 16 10:47:26 EST 2009 

Jeff Blaine wrote, at 01/16/2009 10:12 AM:
> With the tls_ca_file line removed, Thunderbird asked me
> to specify a client certificate, I chose my cert and
> entered my password to access it.

That sounds backwards. My understanding is that setting tls_ca_file is
what will cause some clients to prompt for a client certificate, and
that commenting out the setting avoids this problem if you don't use
client certs.

> Jan 16 10:08:33 imapsrv imap[15668]: [ID 921384 local6.debug] accepted 
> connection
> Jan 16 10:08:33 imapsrv imap[15668]: [ID 636471 local6.notice] TLS 
> server engine: cannot load CA data

That's fine. It's a spurious log message as a result of removing
tls_ca_file.

> Jan 16 10:08:33 imapsrv imap[15668]: [ID 286863 local6.notice] 
> imapd:Loading hard-coded DH parameters

This is also normal, nothing to worry about.

> Jan 16 10:08:33 imapsrv imap[15668]: [ID 277171 local6.error] TLS server 
> engine: No CA file specified. Client side certs may not work

More harmless noise from the removal of tls_ca_file.

> Jan 16 10:08:33 imapsrv imap[15668]: [ID 574029 local6.debug] 
> SSL_accept() incomplete -> wait
> Jan 16 10:08:43 imapsrv imap[15668]: [ID 160154 local6.debug] Doing a 
> peer verify
> Jan 16 10:08:43 imapsrv imap[15668]: [ID 227675 local6.error] verify 
> error:num=20:unable to get local issuer certificate
> Jan 16 10:08:43 imapsrv imap[15668]: [ID 192010 local6.debug] no 
> certificate returned in SSL_accept() -> fail
> Jan 16 10:08:43 imapsrv imap[15668]: [ID 239158 local6.notice] STARTTLS 
> negotiation failed: bva-172.our.com

This is probably related to your client certificate, now that you don't
have a CA store for verification. I don't know why Thunderbird prompted
you for a certificate, though. You might want to test from another
Thunderbird with no client certs installed.

In any case, this might be easier to troubleshoot if you post your
imapd.conf (and maybe even cyrus.conf). I found it was a little tricky
going upgrading within 2.3.x due to some TLS changes, but I still
managed to maintain a very simple configuration. Yours just might need a
couple of tweaks.

More information about the Info-cyrus mailing list