Expire (manually) TLS sessions?

Jeff Blaine jblaine at kickflop.net
Wed Jan 21 13:36:02 EST 2009


Also:

bash-2.05# su cyrus -c "/imapsrv/mail/cyrus/bin/imtest -t 
/var/imap/server.pem  imapsrv"
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN 
SASL-IR] imapsrv.our.com Cyrus IMAP v2.3.13 server ready
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=20:unable to get local issuer certificate
verify error:num=27:certificate not trusted
verify error:num=21:unable to verify the first certificate
SSL_connect error 0
SSL session removed
failure: TLS negotiation failed!

bash-2.05#

Jeff Blaine wrote:
> I raised syslog info to local6.debug and the TLS session with
> Thunderbird and NO certs shows this:
> 
> Jan 21 12:59:10 imapsrv imap[1518]: [ID 636471 local6.notice] TLS server 
> engine: cannot load CA data
> Jan 21 12:59:10 imapsrv imap[1518]: [ID 286863 local6.notice] 
> imapd:Loading hard-coded DH parameters
> Jan 21 12:59:10 imapsrv imap[1518]: [ID 277171 local6.error] TLS server 
> engine: No CA file specified. Client side certs may not work
> Jan 21 12:59:10 imapsrv imap[1518]: [ID 574029 local6.debug] 
> SSL_accept() incomplete -> wait
> Jan 21 12:59:10 imapsrv imap[1518]: [ID 192010 local6.debug] decryption 
> failed or bad record mac in SSL_accept() -> fail
> Jan 21 12:59:10 imapsrv imap[1518]: [ID 239158 local6.notice] STARTTLS 
> negotiation failed: myclient.our.com [xx.xx.6.52]
> 
> Sebastian Hagedorn wrote:
>> Hi Jeff,
>>
>> --On 21. Januar 2009 11:19:31 -0500 Jeff Blaine <jblaine at kickflop.net> 
>> wrote:
>>
>>> Sorry for the delay -- I had my wedding and a brief
>>> mini-honeymoon to attend to ;)
>> congrats!
>>
>>>> How about Thunderbird using a password for authentication? Is that an
>>>> option at all?
>>> I realize this is a little "all over the road" here,
>>> but bear with me as I am just trying to get something
>>> working at this point for our users who are now
>>> without secure IMAP :(
>>>
>>> With "TLS" selected in Thunderbird, I am given no
>>> choice but to select a client certificate.  See
>>> attached images.
>> I wonder why that is. The only reason that comes to mind is that you 
>> *have* a certificate. I don't and so I'm never asked to use it. So why 
>> don't you try removing your certificate? Honestly, I would expect the 
>> same to happen that happens when you use SSL, but you never know.
>>
>>> Another user reports that GNU Emacs with the Gnus
>>> client works with SSL and port 993.  I've confirmed
>>> this in the log:
>>>
>>> Jan 21 11:11:03 imapsrv imaps[14170]: [ID 277583 local6.notice] login:
>>> jimbo-host.our.com [xx.xx.50.67] jimbo plaintext+TLS User logged in
>>>
>>> If I configure Thunderbird to do that (SSL via 993),
>>> I get the following:
>>>
>>> Jan 21 11:10:19 imapsrv imaps[14104]: [ID 636471 local6.notice] TLS
>>> server engine: cannot load CA data
>>> Jan 21 11:10:19 imapsrv imaps[14104]: [ID 286863 local6.notice]
>>> imapd:Loading hard-coded DH parameters
>>> Jan 21 11:10:19 imapsrv imaps[14104]: [ID 798856 local6.notice] imaps TLS
>>> negotiation failed: myclient.our.com
>>> Jan 21 11:10:19 imapsrv imaps[14104]: [ID 637875 local6.error] Fatal
>>> error: tls_start_servertls() failed
>> I have no idea why that happens. I just tried it myself and got the 
>> following in our log:
>>
>> Jan 21 18:17:48 lvr13 imaps[9855]: accepted connection
>> Jan 21 18:17:48 lvr13 imaps[9855]: SSL_accept() incomplete -> wait
>> Jan 21 18:17:48 lvr13 imaps[9855]: SSL_accept() succeeded -> done
>> Jan 21 18:17:48 lvr13 imaps[9855]: starttls: TLSv1 with cipher 
>> AES256-SHA (256/256 bits new) no authentication
>> Jan 21 18:17:53 lvr13 imaps[9855]: login: [redacted] User logged in
>>
>> Could it be that your OpenSSL version or your certificate somehow don't 
>> support features that Thunderbird requires? I'm really no expert, but I 
>> know that client and server *negotiate* about these things. And the 
>> error reads "negotiation failed" ...
>>
>> If your server is accessible over the Internet, perhaps I could try 
>> connecting to it with "openssl s_client". That might tell us something. 
>> You can try that as well, of course.
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
> 


More information about the Info-cyrus mailing list