TLS wrrors on cyrus imapd log file

Andrew Morgan morgan at orst.edu
Mon Sep 24 16:22:46 EDT 2012


The code block which generates the log error is:

     if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
         (!SSL_CTX_set_default_verify_paths(s_ctx))) {
         /* just a warning since this is only necessary for client auth */
         syslog(LOG_NOTICE,"TLS server engine: cannot load CA data");
     }

If you are not using TLS client auth (x509 client certs), then you could 
ignore the error.  But errors in logs are annoying, so it would be nice to 
fix it.

Is /etc/pki/CA/INFN-CA.pem readable by the user Cyrus runs as?

Does the following openssl command report any errors:

   openssl x509 -in /etc/pki/CA/INFN-CA.pem -text

How about this command:

   openssl s_client -connect <imap_server_name>:993 -CAfile /etc/pki/CA/INFN-CA.pem


 	Andy

On Thu, 20 Sep 2012, Riccardo Veraldi wrote:

> these are my settings
>
> tls_cert_file: /etc/pki/tls/certs/iride.pem
> tls_key_file: /etc/pki/tls/private/iride.key
> tls_ca_file: /etc/pki/CA/INFN-CA.pem
>
>
> On 9/20/12 8:15 PM, Andrew Morgan wrote:
>> On Thu, 20 Sep 2012, Riccardo Veraldi wrote:
>> 
>>> Hello,
>>> I am using cyrus-imapd-2.4.10
>>> 
>>> I have configured it properly with X509 certificates.
>>> Everything is working fine but for every client connection I receive
>>> this error: TLS server engine: cannot load CA data
>>> 
>>> Sep 16 04:04:42 iride imaps[9363]: TLS server engine: cannot load CA data
>>> Sep 16 04:04:42 iride imaps[9363]: imapd:Loading hard-coded DH parameters
>>> Sep 16 04:04:42 iride imaps[9363]: SSL_accept() incomplete -> wait
>>> Sep 16 04:04:42 iride imaps[9363]: SSL_accept() succeeded -> done
>>> Sep 16 04:04:42 iride imaps[9363]: starttls: TLSv1 with cipher
>>> DHE-RSA-AES256-SHA (256/256 bits reused) no authentication
>>> Sep 16 04:04:42 iride imaps[9363]: login: wilco.mylocaldomain.org
>>> [172.16.10.94] username plain+TLS User logged in
>>> 
>>> X509 certificate is ok it is not expired; it complains about CA
>>> certificate data, but the certificate path inside imapd.conf is correct.
>>> 
>>> what the problem could be ?
>> 
>> What are your tls_* settings in imapd.conf?  I am running Cyrus v2.4.16 and 
>> do not see the "cannot load CA data" error in my logs.  Here are my tls_* 
>> settings:
>> 
>> tls_ca_path: /etc/ssl/certs
>> tls_cert_file: /etc/ssl/certs/imap.onid.oregonstate.edu.crt
>> tls_key_file: /etc/ssl/certs/imap.onid.oregonstate.edu.key
>>
>>     Andy
>
>


More information about the Info-cyrus mailing list