Cyrus SSL/TLS and StartCom SSL certificates?
Rich Wales
richw at richw.org
Sat Nov 21 14:34:02 EST 2009
I'm running Cyrus 2.3.14 on two Ubuntu 9.10 (Karmic) servers.
Recently, I installed new "StartSSL Free" SSL certificates from StartCom
on these servers. After doing so, I could no longer connect securely to
Cyrus in any mode (imaps, imap + starttls, pop3s, pop3 + starttls) -- the
client sat for a long time before timing out, and the syslog messages
on the server spoke vaguely about "STARTTLS negotiation failed", "Fatal
error: tls_start_servertls() failed", etc.
When I reinstated the older certificates (one purchased from Comodo, and
another self-signed), everything started working fine again.
These same StartCom certificates work just fine with Apache and Postfix,
so I don't think the certs are obviously broken in any way.
The only difference I've been able to identify so far is that the older
SSL certificates were using 1024-bit public keys, but the new certs from
StartCom are using 2048-bit public keys. Is this a known Cyrus issue?
If so, will upgrading to a newer version of Cyrus fix this problem? Or
is there a configuration option somewhere that will allow Cyrus 2.3.14
to use SSL certs with 2048-bit public keys?
StartCom doesn't offer SSL certs with 1024-bit public keys, by the way,
so that isn't an option here.
Rich Wales
richw at richw.org
More information about the Info-cyrus
mailing list