Expire (manually) TLS sessions?

Bron Gondwana brong at fastmail.fm
Fri Jan 16 21:24:41 EST 2009


On Fri, Jan 16, 2009 at 12:46:32PM +0100, Sebastian Hagedorn wrote:
> Hello Jeff,
>
> --On 16. Januar 2009 06:38:27 -0500 Jeff Blaine <jblaine at kickflop.net>  
> wrote:
>
>> Maybe we're doing something wrong in the process, but it
>> seems that every time we perform offline maintenance
>> (upgrade, whatever) on Cyrus IMAPd ... our users complain
>> that TLS breaks afterward, but then fixes itself in time.
>>
>> I've demonstrated this to myself just now with the upgrade
>> to 2.3.13 from 2.2.12.  My TLS session is cached but broken
>> with the new setup (or for whatever other reason).  That is,
>> even after restarting Thunderbird, I get the following:
>>
>> Jan 16 06:31:50 imapsrv imap[19690]: [ID 239158 local6.notice] STARTTLS
>> negotiation failed: bva-172.our.com
>>
>> Is there a way to zero/flush all TLS cached sessions?  I
>> have to imagine there is, but I don't know how.
>
> as before: just delete the tls_sessions files before you start 
> cyrus-imapd. They will be recreated automatically. You could even make 
> that part of the initscript, because those session don't survive a 
> restart anyway.

In that case maybe Cyrus should do this itself?  Sounds like a candidate
for a fix.

(we don't do TLS on our backends, because all connections come to nginx,
and it always connects plaintext to the backends)

Bron.


More information about the Info-cyrus mailing list