TLS fails on imaps port

Patrick Boutilier boutilpj at ednet.ns.ca
Mon Jan 25 13:29:39 EST 2010


On 01/25/2010 02:26 PM, Bob Dye wrote:
> Patrick Boutilier wrote:
>> On 01/25/2010 11:51 AM, Bob Dye wrote:
>>> Patrick Boutilier wrote:
>>>> On 01/24/2010 10:39 AM, Bob Dye wrote:
>>>>
>>>>> Joseph Brennan wrote:
>>>>>
>>>>>> --On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye
>>>>>> <bobdye at vintagefactor.com> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.
>>>>>>>
>>>>>>> TLS works fine if I connect to the imap port (143). If I try to
>>>>>>> connect
>>>>>>> instead via the imaps port (993), the attempt times out and I get
>>>>>>> the
>>>>>>> following in the log:
>>>>>>>
>>>>>>> imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
>>>>>>> imaps[27170]: Fatal error: tls_start_servertls() failed
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Normal. It should fail. 993 requires SSL.
>>>>>>
>>>>>>
>>>>>> Joseph Brennan
>>>>>> Columbia University Information Technology
>>>>>>
>>>>>>
>>>>>> ----
>>>>>> Cyrus Home Page:http://cyrusimap.web.cmu.edu/
>>>>>> Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki
>>>>>> List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>>>>
>>>>>>
>>>>> 993 (the port) does not require SSL. The official IANA definition is
>>>>> "imap4 protocol over TLS/SSL".
>>>>>
>>>>> Perhaps you're saying that Cyrus-imapd only supports SSL on 993 for
>>>>> some
>>>>> reason?
>>>>>
>>>>
>>>> Assuming you are running imapd -s on port 993, from the man page for
>>>> imapd:
>>>>
>>>> -s Serve IMAP over SSL (imaps). All data to and from imapd is
>>>> encrypted using the Secure Sockets Layer.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> --
>>>>>
>>>>> Bob Dye
>>>>> Vintagefactor
>>>>>
>>>>> <http://www.vintagefactor.com/> <http://www.vintagefactor.com/>
>>>>>
>>>>>
>>>>>
>>>>> ----
>>>>> Cyrus Home Page:http://cyrusimap.web.cmu.edu/
>>>>> Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki
>>>>> List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>>>
>>>>
>>>> ----
>>>> Cyrus Home Page:http://cyrusimap.web.cmu.edu/
>>>> Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki
>>>> List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>>
>>> Yes, those are the words on the man page. I am reluctant to simply
>>> accept that as true because:
>>>
>>> 1. The man page does not say anything about TLS. It is difficult to draw
>>> conclusions from lack of documentation. You might assume that it does
>>> not support TLS at all, but it definitely does. I have seen a number of
>>> cases where software documentation has not been updated to reflect TLS
>>> (vs. SSL).
>>>
>>> 2. The error message ("imaps TLS negotiation failed") implies that
>>> cyrus-imapd is trying to support TLS and failing. If it supported only
>>> SSL, it would presumably not try TLS.
>>
>>
>> What IMAP client are you using? Sounds like you are trying to use
>> STARTTLS.
>>
>> http://sial.org/howto/openssl/tls-name/
>>
>>
>>
>>
>>>
>>> --
>>>
>>> Bob Dye
>>> Vintagefactor
>>>
>>> <http://www.vintagefactor.com/>
>>>
>>>
>>>
>>> ----
>>> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
>>> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
>>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>
> Patrick,
>
> I use Mozilla Thunderbird.


Use SSL/TLS instead of STARTTLS for connection security.



>
> --
>
> Bob Dye
> Vintagefactor
>
> <http://www.vintagefactor.com/>
>
>
>
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: boutilpj.vcf
Type: text/x-vcard
Size: 286 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20100125/5ae73d0f/attachment.vcf 


More information about the Info-cyrus mailing list