Problems with SSL

Infraestructura TIC - UNNOBA tecnologia at unnoba.edu.ar
Tue Nov 29 11:25:26 EST 2016 

Hello!
I'm using cyrus on Debian vm for several years but now, SSL starts to fail:

    Nov 29 13:05:58 server1 cyrus/imaps[9595]: inittls: Loading
hard-coded DH parameters
    Nov 29 13:05:58 server1 cyrus/imaps[9595]: imaps TLS negotiation
failed: [2801:0:140:f42:f3fa:b0b2:4ab1:8d10]

I tried with self-signed certificates, and third-party ones, but the
result is the same.
I spent two days trying to figure out what happened, without results.

    #openssl s_client -connect mail.server.test:993 -crlf -state
    CONNECTED(00000003)
    SSL_connect:before SSL initialization
    SSL_connect:SSLv3/TLS write client hello
    SSL3 alert read:fatal:handshake failure
    SSL_connect:error in SSLv3/TLS write client hello
    140019483313280:error:14094410:SSL routines:ssl3_read_bytes:sslv3
alert handshake failure:ssl/record/rec_layer_s3.c:1388:SSL alert number
    40
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 7 bytes and written 176 bytes
    Verification: OK
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1480435442
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
    ---
   
     
I'm using this versions:

cyrus-admin                           2.5.10-2
cyrus-clients                         2.5.10-2
cyrus-common                          2.5.10-2
cyrus-doc                             2.5.10-2
cyrus-imapd                           2.5.10-2
cyrus-murder                          2.5.10-2
cyrus-pop3d                           2.5.10-2
cyrus-replication                     2.5.10-2



Both, certificate and key, are accesibles by user cyrus. Certificate is
up-to-date.

This is the config:

$sudo -u cyrus /usr/lib/cyrus/bin/cyr_info  conf
    [...]
    tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH
    tls_client_ca_dir: /etc/ssl/certs
    tls_client_ca_file: /etc/ssl/certs/cyrus.pem
    tls_server_cert: /etc/ssl/certs/cyrus.pem
    tls_server_key: /etc/ssl/private/cyrus.key
    tls_session_timeout: 0
    [...]


And before I declared myself "I'm completely lost", I was watching
entropy ... but is ok.

#cat /proc/sys/kernel/random/entropy_avail
2354



¿Any suggestions?

Thanks in advance!



Javier.-

More information about the Info-cyrus mailing list