cyrus 2.4.17 TLS woes
Patrick Goetz
pgoetz at mail.utexas.edu
Thu Jan 15 07:34:44 EST 2015
So, perhaps unsurprisingly, TLS is giving me problems. I'm trying to
enforce allowplaintext: no and am running into some issues with ciphers.
I started with this cipher list:
tls_cipher_list: TLSv1.2+HIGH:!aNULL:@STRENGTH
and got this error:
no shared cipher in SSL_accept() -> fail
After a little googling I tried:
tls_cipher_list: !SSlv2:!SSLv3:!aNULL:@STRENGTH
Something like that apparently works for dovecot, but just failed
completely:
TLS server engine: cannot load cipher list
'!SSlv2:!SSLv3:!aNULL:@STRENGTH'
Does anyone have a secure, functional cipher list entry they'd like to
share?
Also, different problem. I noticed this in previous installations of
cyrus, but just ignored the error, as everything was working. Every
time I run imtest (or when a TLS connection is made) the following error
is logged:
TLS server engine: No CA file specified. Client side certs may not work
I created a self-signed certificate + private key file as per the
instructions given in the documentation (more or less), and set
tls_cert_file: /etc/cyrus/private/cyrus.pem
Thinking the system might also need access to CA certificates for some
reason, I then also set a valid CA cert path:
tls_ca_path: /etc/ssl/certs
All the file permissions are correct, as far as I can tell (i.e. the
cert/key file is owned by cyrus with umask 600, in a folder owned by
cyrus with umask 700.
Any idea why cyrus is giving this error message and how to get rid of it?
More information about the Info-cyrus
mailing list