STARTTLS TLS handshake fails after ServerKeyExchange

Jukka Huhta jukka.huhta at helsinki.fi
Wed Nov 11 07:57:52 EST 2009


We have a problem: when connecting to backend servers (with
cyradm/openssl s_client/whatever) the server just hangs in the TLS
handshake after ServerKeyExchange.  The reason for this is unknown to
us.

By reading RFC 5246, it seems to me that the client waits for
CertificateRequest or ServerHelloDone which is never received.
The client is stuck in the read system call and imapd is select()ing
something. Nothing happens.

It is strange that this happens in a test environment almost every
time and in a production environment in about 1/3 of the connection
attempts BUT never when connecting to a service running on a local
node, only when connecting to a remote node. A network related issue?

Cyradm fails also when I connect to a frontend and issue a command
that requires cyradm to connect to a remote backend. Otherwise
frontends work fine (without tls_ca_file defined).

After reading tls.c and imapd.c code we came to a conclusion: When
STARTTLS is used, the server wants to ask for a client certificate
regardless of whether the client certificates are in use or not.
Since we are not using them we worked this around by adding a new
config option tls_ask_cert: 0 and using it like the attached patch
shows.

Certainly I don't want to apply this patch in the production
environment before I fully understand what's really going on and is it
at all the right way to fix this problem.

Any hints, ideas, anything?

Running Cyrus 2.3.15 (rpm 2.3.15-4 by Simon Matter) on a CentOS 5.4
cluster (openssl 0.9.8e-12.el5).


-Jukka Huhta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cyrus-imapd-2.3.15-hy_askcert.patch
Type: text/x-diff
Size: 1144 bytes
Desc: 
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20091111/f4de7fc4/attachment.bin 


More information about the Info-cyrus mailing list