cyrus 2.4.17 TLS woes

Patrick Goetz pgoetz at
Thu Jan 15 07:34:44 EST 2015

So, perhaps unsurprisingly, TLS is giving me problems.  I'm trying to 
enforce allowplaintext: no  and am running into some issues with ciphers.

I started with this cipher list:

     tls_cipher_list: TLSv1.2+HIGH:!aNULL:@STRENGTH

and got this error:

     no shared cipher in SSL_accept() -> fail

After a little googling I tried:

     tls_cipher_list: !SSlv2:!SSLv3:!aNULL:@STRENGTH

Something like that apparently works for dovecot, but just failed 

     TLS server engine: cannot load cipher list 

Does anyone have a secure, functional cipher list entry they'd like to 

Also, different problem.  I noticed this in previous installations of 
cyrus, but just ignored the error, as everything was working.  Every 
time I run imtest (or when a TLS connection is made) the following error 
is logged:

     TLS server engine: No CA file specified. Client side certs may not work

I created a self-signed certificate + private key file as per the 
instructions given in the documentation (more or less), and set

     tls_cert_file: /etc/cyrus/private/cyrus.pem

Thinking the system might also need access to CA certificates for some 
reason, I then also set a valid CA cert path:

     tls_ca_path: /etc/ssl/certs

All the file permissions are correct, as far as I can tell (i.e. the 
cert/key file is owned by cyrus with umask 600, in a folder owned by 
cyrus with umask 700.

Any idea why cyrus is giving this error message and how to get rid of it?

More information about the Info-cyrus mailing list