Expire (manually) TLS sessions?
Jorey Bump
list at joreybump.com
Wed Jan 21 15:27:54 EST 2009
Jeff Blaine wrote, at 01/21/2009 01:36 PM:
> bash-2.05# su cyrus -c "/imapsrv/mail/cyrus/bin/imtest -t
> /var/imap/server.pem imapsrv"
My understanding is that you only specify a keyfile if you're testing
client certificate authentication. For a normal test of TLS encryption,
it should be empty (but quoted):
imtest -u bob -a bob -t "" mail.example.com
You'll still see this:
> S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN
> SASL-IR] imapsrv.our.com Cyrus IMAP v2.3.13 server ready
> C: S01 STARTTLS
> S: S01 OK Begin TLS negotiation now
> verify error:num=20:unable to get local issuer certificate
> verify error:num=27:certificate not trusted
> verify error:num=21:unable to verify the first certificate
But you shouldn't see this:
> SSL_connect error 0
> SSL session removed
> failure: TLS negotiation failed!
If it works, you'll see this instead:
TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
C: C01 CAPABILITY
...
BTW, you probably shouldn't be advertising AUTH=PLAIN pre-STARTTLS. Try
something like this in imapd.conf, adjusted for the mechanisms you support:
# authentication
sasl_pwcheck_method: auxprop
sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
allowplaintext: no
# use this to enforce TLS with plaintext mechanisms
sasl_minimum_layer: 128
More information about the Info-cyrus
mailing list