Cyrus SSL/TLS and StartCom SSL certificates?

Jukka Huhta jukka.huhta at helsinki.fi
Sun Nov 22 08:48:00 EST 2009


On Sat, 21 Nov 2009, Rich Wales wrote:

> Recently, I installed new "StartSSL Free" SSL certificates from StartCom
> on these servers.  After doing so, I could no longer connect securely to
> Cyrus in any mode (imaps, imap + starttls, pop3s, pop3 + starttls) -- the
> client sat for a long time before timing out, and the syslog messages
> on the server spoke vaguely about "STARTTLS negotiation failed", "Fatal
> error: tls_start_servertls() failed", etc.

I don't know but the symptoms sound familiar (see my previous mail
with the subject line "STARTTLS TLS handshake fails after
ServerKeyExchange").

We tried to debug the problem by adding some logging to both Cyrus'
and OpenSSL's code. The problem may somehow be related to the CA file
reading. (My understanding of OpenSSL is too limited but after all it
all came down to a return value of -1 from BIO_write library call or
something...)

Anyway, removing extra CA's from ca-bundle.crt seems to fix it for us
too.


-Jukka Huhta


More information about the Info-cyrus mailing list