TLS fails on imaps port

Bob Dye bobdye at vintagefactor.com
Mon Jan 25 10:51:56 EST 2010 

Patrick Boutilier wrote:
> On 01/24/2010 10:39 AM, Bob Dye wrote:
>   
>> Joseph Brennan wrote:
>>     
>>> --On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye
>>> <bobdye at vintagefactor.com>  wrote:
>>>
>>>
>>>       
>>>> I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.
>>>>
>>>> TLS works fine if I connect to the imap port (143). If I try to connect
>>>> instead via the imaps port (993), the attempt times out and I get the
>>>> following in the log:
>>>>
>>>> imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
>>>> imaps[27170]: Fatal error: tls_start_servertls() failed
>>>>
>>>>         
>>>
>>> Normal.  It should fail.  993 requires SSL.
>>>
>>>
>>> Joseph Brennan
>>> Columbia University Information Technology
>>>
>>>
>>> ----
>>> Cyrus Home Page:http://cyrusimap.web.cmu.edu/
>>> Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki
>>> List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>
>>>       
>> 993 (the port) does not require SSL. The official IANA definition is
>> "imap4 protocol over TLS/SSL".
>>
>> Perhaps you're saying that Cyrus-imapd only supports SSL on 993 for some
>> reason?
>>     
>
> Assuming you are running imapd -s on port 993, from the man page for imapd:
>
> -s     Serve IMAP over SSL (imaps).  All data to and from imapd is 
> encrypted using the Secure Sockets Layer.
>
>
>
>
>   
>> --
>>
>> Bob Dye
>> Vintagefactor
>>
>> <http://www.vintagefactor.com/> <http://www.vintagefactor.com/>
>>
>>
>>
>> ----
>> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
>> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>     
>
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>   
Yes, those are the words on the man page. I am reluctant to simply 
accept that as true because:

1. The man page does not say anything about TLS. It is difficult to draw 
conclusions from lack of documentation. You might assume that it does 
not support TLS at all, but it definitely does. I have seen a number of 
cases where software documentation has not been updated to reflect TLS 
(vs. SSL).

2. The error message ("imaps TLS negotiation failed") implies that 
cyrus-imapd is trying to support TLS and failing. If it supported only 
SSL, it would presumably not try TLS.

-- 

Bob Dye
Vintagefactor

<http://www.vintagefactor.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20100125/f0618a95/attachment-0001.html

More information about the Info-cyrus mailing list