Expire (manually) TLS sessions?

Fri Jan 16 11:18:50 EST 2009

Jorey Bump wrote:
> Jeff Blaine wrote, at 01/16/2009 10:12 AM:
>> With the tls_ca_file line removed, Thunderbird asked me
>> to specify a client certificate, I chose my cert and
>> entered my password to access it.
> 
> That sounds backwards. My understanding is that setting tls_ca_file is
> what will cause some clients to prompt for a client certificate, and
> that commenting out the setting avoids this problem if you don't use
> client certs.
> 
>> Jan 16 10:08:33 imapsrv imap[15668]: [ID 921384 local6.debug] accepted 
>> connection
>> Jan 16 10:08:33 imapsrv imap[15668]: [ID 636471 local6.notice] TLS 
>> server engine: cannot load CA data
> 
> That's fine. It's a spurious log message as a result of removing
> tls_ca_file.
> 
>> Jan 16 10:08:33 imapsrv imap[15668]: [ID 286863 local6.notice] 
>> imapd:Loading hard-coded DH parameters
> 
> This is also normal, nothing to worry about.
> 
>> Jan 16 10:08:33 imapsrv imap[15668]: [ID 277171 local6.error] TLS server 
>> engine: No CA file specified. Client side certs may not work
> 
> More harmless noise from the removal of tls_ca_file.
> 
>> Jan 16 10:08:33 imapsrv imap[15668]: [ID 574029 local6.debug] 
>> SSL_accept() incomplete -> wait
>> Jan 16 10:08:43 imapsrv imap[15668]: [ID 160154 local6.debug] Doing a 
>> peer verify
>> Jan 16 10:08:43 imapsrv imap[15668]: [ID 227675 local6.error] verify 
>> error:num=20:unable to get local issuer certificate
>> Jan 16 10:08:43 imapsrv imap[15668]: [ID 192010 local6.debug] no 
>> certificate returned in SSL_accept() -> fail
>> Jan 16 10:08:43 imapsrv imap[15668]: [ID 239158 local6.notice] STARTTLS 
>> negotiation failed: bva-172.our.com
> 
> This is probably related to your client certificate, now that you don't
> have a CA store for verification. I don't know why Thunderbird prompted
> you for a certificate, though. You might want to test from another
> Thunderbird with no client certs installed.
> 
> In any case, this might be easier to troubleshoot if you post your
> imapd.conf (and maybe even cyrus.conf). I found it was a little tricky
> going upgrading within 2.3.x due to some TLS changes, but I still
> managed to maintain a very simple configuration. Yours just might need a
> couple of tweaks.

Here ya go:

allowplaintext: true
configdirectory:        /var/imap
defaultpartition:       default
partition-default:      /var/spool/imap
imap_admins:            root cyrus
sasl_pwcheck_method:    saslauthd
unix_group_enable: 0
sieveusehomedir:        true
autocreatequota:        200000
duplicate_db:           skiplist
annotation_db:  skiplist
mboxkey_db: skiplist
mboxlist_db: skiplist
tlscache_db:    skiplist
tls_session_timeout: 0
tls_cert_file:  /var/imap/ca.crt
tls_key_file:   /var/imap/server.pk

START {
   recover       cmd="ctl_cyrusdb -r"
}
SERVICES {
   imap          cmd="imapd" listen="imap" prefork=5 proto=tcp4
   imaps         cmd="imapd -s" listen="imaps" prefork=1 proto=tcp4
   lmtpunix      cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=1
}
EVENTS {
   checkpoint    cmd="ctl_cyrusdb -c" period=10
   delprune      cmd="cyr_expire -E 3" at=0400
   tlsprune      cmd="tls_prune" at=0400
}