Basic two host replication scenario, SSL failure

Bron Gondwana brong at fastmail.fm
Mon Jul 11 08:40:18 EDT 2011


On Mon, Jul 11, 2011 at 12:57:34PM +0300, Ivan Lezhnjov Jr. wrote:
> This is a follow-up.
> 
> I tried synctest and it basically pointed at the same issue.
> 
> [root at imapsite-replica scripts]# synctest -a cyrusadmin -u cyrusadmin
> -t "" master
> S: * SASL PLAIN
> S: * STARTTLS
> S: * COMPRESS DEFLATE
> S: * OK imapsite-master Cyrus sync server v2.4.10-Kolab-2.4.10-1
> C: STARTTLS
> S: OK Begin TLS negotiation now
> verify error:num=18:self signed certificate
> 
> I can login if I omit -t "". So, I tried to disable TLS by commenting
> out tls_* lines in imapd.conf of both hosts and starting the
> cyrus-imap to serve only imap service (disalbed imaps, pop, etc.)
> 
> Now, with this TLS-less configuration B switched to master outputs to logs:
> 
> Jul 11 12:51:09 imapsite-replica sync_client[1444]: couldn't
> authenticate to backend server: no mechanism available
> Jul 11 12:52:39 imapsite-replica last message repeated 2 times
> 
> and A switched to replica outputs the following:
> Jul 11 12:51:09 imapsite-master syncserver[18209]: accepted connection
> Jul 11 12:51:09 imapsite-master syncserver[18209]: cmdloop(): startup
> Jul 11 12:51:39 imapsite-master syncserver[18209]: accepted connection
> Jul 11 12:51:39 imapsite-master syncserver[18209]: cmdloop(): startup
> Jul 11 12:52:39 imapsite-master syncserver[18209]: accepted connection
> Jul 11 12:52:39 imapsite-master syncserver[18209]: cmdloop(): startup
> 
> Replication doesn't succeed, obviously.


Our "sync server block" looks like this:

sync_server [% CONF %] -p 1

(template toolkit magic for the configuration file paths)

The -p 1 is this:
       -p ssf Tell  sync_server  that  an  external layer exists.  An SSF (security strength
              factor) of 1 means an integrity  protection  layer  exists.   Any  higher  SSF
              implies some form of privacy protection.

So -p 1 allows plaintext authentication to succeed without TLS.

Bron.


More information about the Info-cyrus mailing list