Expire (manually) TLS sessions?
Bron Gondwana
brong at fastmail.fm
Fri Jan 16 21:24:41 EST 2009
On Fri, Jan 16, 2009 at 12:46:32PM +0100, Sebastian Hagedorn wrote:
> Hello Jeff,
>
> --On 16. Januar 2009 06:38:27 -0500 Jeff Blaine <jblaine at kickflop.net>
> wrote:
>
>> Maybe we're doing something wrong in the process, but it
>> seems that every time we perform offline maintenance
>> (upgrade, whatever) on Cyrus IMAPd ... our users complain
>> that TLS breaks afterward, but then fixes itself in time.
>>
>> I've demonstrated this to myself just now with the upgrade
>> to 2.3.13 from 2.2.12. My TLS session is cached but broken
>> with the new setup (or for whatever other reason). That is,
>> even after restarting Thunderbird, I get the following:
>>
>> Jan 16 06:31:50 imapsrv imap[19690]: [ID 239158 local6.notice] STARTTLS
>> negotiation failed: bva-172.our.com
>>
>> Is there a way to zero/flush all TLS cached sessions? I
>> have to imagine there is, but I don't know how.
>
> as before: just delete the tls_sessions files before you start
> cyrus-imapd. They will be recreated automatically. You could even make
> that part of the initscript, because those session don't survive a
> restart anyway.
In that case maybe Cyrus should do this itself? Sounds like a candidate
for a fix.
(we don't do TLS on our backends, because all connections come to nginx,
and it always connects plaintext to the backends)
Bron.
More information about the Info-cyrus
mailing list