Expire (manually) TLS sessions?

Sebastian Hagedorn Hagedorn at uni-koeln.de
Wed Jan 21 12:24:10 EST 2009 

Hi Jeff,

--On 21. Januar 2009 11:19:31 -0500 Jeff Blaine <jblaine at kickflop.net> 
wrote:

> Sorry for the delay -- I had my wedding and a brief
> mini-honeymoon to attend to ;)

congrats!

>> How about Thunderbird using a password for authentication? Is that an
>> option at all?
>
> I realize this is a little "all over the road" here,
> but bear with me as I am just trying to get something
> working at this point for our users who are now
> without secure IMAP :(
>
> With "TLS" selected in Thunderbird, I am given no
> choice but to select a client certificate.  See
> attached images.

I wonder why that is. The only reason that comes to mind is that you *have* 
a certificate. I don't and so I'm never asked to use it. So why don't you 
try removing your certificate? Honestly, I would expect the same to happen 
that happens when you use SSL, but you never know.

> Another user reports that GNU Emacs with the Gnus
> client works with SSL and port 993.  I've confirmed
> this in the log:
>
> Jan 21 11:11:03 imapsrv imaps[14170]: [ID 277583 local6.notice] login:
> jimbo-host.our.com [xx.xx.50.67] jimbo plaintext+TLS User logged in
>
> If I configure Thunderbird to do that (SSL via 993),
> I get the following:
>
> Jan 21 11:10:19 imapsrv imaps[14104]: [ID 636471 local6.notice] TLS
> server engine: cannot load CA data
> Jan 21 11:10:19 imapsrv imaps[14104]: [ID 286863 local6.notice]
> imapd:Loading hard-coded DH parameters
> Jan 21 11:10:19 imapsrv imaps[14104]: [ID 798856 local6.notice] imaps TLS
> negotiation failed: myclient.our.com
> Jan 21 11:10:19 imapsrv imaps[14104]: [ID 637875 local6.error] Fatal
> error: tls_start_servertls() failed

I have no idea why that happens. I just tried it myself and got the 
following in our log:

Jan 21 18:17:48 lvr13 imaps[9855]: accepted connection
Jan 21 18:17:48 lvr13 imaps[9855]: SSL_accept() incomplete -> wait
Jan 21 18:17:48 lvr13 imaps[9855]: SSL_accept() succeeded -> done
Jan 21 18:17:48 lvr13 imaps[9855]: starttls: TLSv1 with cipher AES256-SHA 
(256/256 bits new) no authentication
Jan 21 18:17:53 lvr13 imaps[9855]: login: [redacted] User logged in

Could it be that your OpenSSL version or your certificate somehow don't 
support features that Thunderbird requires? I'm really no expert, but I 
know that client and server *negotiate* about these things. And the error 
reads "negotiation failed" ...

If your server is accessible over the Internet, perhaps I could try 
connecting to it with "openssl s_client". That might tell us something. You 
can try that as well, of course.
-- 
     .:.Sebastian Hagedorn - RZKR-R1 (Gebäude 52), Zimmer 18.:.
Zentrum für angewandte Informatik - Universitätsweiter Service RRZK
.:.Universität zu Köln / Cologne University - ✆ +49-221-478-5587.:.
                   .:.:.:.Skype: shagedorn.:.:.:.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090121/df448772/attachment.bin

More information about the Info-cyrus mailing list