Expire (manually) TLS sessions?
jblaine at kickflop.net
Fri Jan 16 11:18:50 EST 2009
Jorey Bump wrote:
> Jeff Blaine wrote, at 01/16/2009 10:12 AM:
>> With the tls_ca_file line removed, Thunderbird asked me
>> to specify a client certificate, I chose my cert and
>> entered my password to access it.
> That sounds backwards. My understanding is that setting tls_ca_file is
> what will cause some clients to prompt for a client certificate, and
> that commenting out the setting avoids this problem if you don't use
> client certs.
>> Jan 16 10:08:33 imapsrv imap: [ID 921384 local6.debug] accepted
>> Jan 16 10:08:33 imapsrv imap: [ID 636471 local6.notice] TLS
>> server engine: cannot load CA data
> That's fine. It's a spurious log message as a result of removing
>> Jan 16 10:08:33 imapsrv imap: [ID 286863 local6.notice]
>> imapd:Loading hard-coded DH parameters
> This is also normal, nothing to worry about.
>> Jan 16 10:08:33 imapsrv imap: [ID 277171 local6.error] TLS server
>> engine: No CA file specified. Client side certs may not work
> More harmless noise from the removal of tls_ca_file.
>> Jan 16 10:08:33 imapsrv imap: [ID 574029 local6.debug]
>> SSL_accept() incomplete -> wait
>> Jan 16 10:08:43 imapsrv imap: [ID 160154 local6.debug] Doing a
>> peer verify
>> Jan 16 10:08:43 imapsrv imap: [ID 227675 local6.error] verify
>> error:num=20:unable to get local issuer certificate
>> Jan 16 10:08:43 imapsrv imap: [ID 192010 local6.debug] no
>> certificate returned in SSL_accept() -> fail
>> Jan 16 10:08:43 imapsrv imap: [ID 239158 local6.notice] STARTTLS
>> negotiation failed: bva-172.our.com
> This is probably related to your client certificate, now that you don't
> have a CA store for verification. I don't know why Thunderbird prompted
> you for a certificate, though. You might want to test from another
> Thunderbird with no client certs installed.
> In any case, this might be easier to troubleshoot if you post your
> imapd.conf (and maybe even cyrus.conf). I found it was a little tricky
> going upgrading within 2.3.x due to some TLS changes, but I still
> managed to maintain a very simple configuration. Yours just might need a
> couple of tweaks.
Here ya go:
imap_admins: root cyrus
recover cmd="ctl_cyrusdb -r"
imap cmd="imapd" listen="imap" prefork=5 proto=tcp4
imaps cmd="imapd -s" listen="imaps" prefork=1 proto=tcp4
lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=1
checkpoint cmd="ctl_cyrusdb -c" period=10
delprune cmd="cyr_expire -E 3" at=0400
tlsprune cmd="tls_prune" at=0400
More information about the Info-cyrus