sslv3 alert certificate unknown in SSL_accept() -> fail

Anton a_shilov at inbox.ru
Sat May 20 23:02:07 EDT 2017 

Hi Marcus!
Problem looks like java app cannot validate new cert. Check ssl_store for your java based mail gate. Are there CA and Intermediate SSL Certificates for your new 256ssl cert in mail gate ssl store?

> Hi,
> 
> today I changed my SSL certificates to "sha256WithRSAEncryption",
> because Thunderbird started complaining about me old SHA1
> certificates. ;) One pop3s client (it's a kind of java based mailgate)
> causes a lot of these errors, not at each connect, but on about two of
> 140 mailbox connects within 5 minutes:
> 
> 
> mail log:
> ----------
> May 20 23:14:02 mailserv cyrus/pop3s[17825]: accepted connection
> May 20 23:14:02 mailserv cyrus/pop3s[17825]: SSL_accept() incomplete ->
> wait
> May 20 23:14:02 mailserv cyrus/pop3s[17825]: sslv3 alert certificate
> unknown in SSL_accept() -> fail
> May 20 23:14:02 mailserv cyrus/pop3s[17825]: pop3s failed:
> ppp-xx-xx-xx-xx.domain.de [xx.xx.xx.xx]
> May 20 23:14:02 mailserv cyrus/pop3s[17825]: Fatal error:
> tls_start_servertls() failed
> May 20 23:14:02 mailserv cyrus/pop3s[17825]: counts: retr=<0> top=<0>
> dele=<0>
> ----------
> 
> error log:
> ----------
> May 20 23:12:07 mailserv cyrus/pop3s[17838]: Fatal error:
> tls_start_servertls() failed
> ----------
> 
> If I check pop3s with my Thunderbird or other clients everything is
> fine. SSL checker e.g. on https://decoder.link/sslchecker doesn't show
> any errors and it's only this one pop3 client, which causes this error.
> 
> I didn't changed anything in imap.conf, but replacing cert files and
> reload imapd
> 
> tls_cert_file
> tls_key_file
> tls_ca_file
> 
> tls_cipher_list is unchanged:
> tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
> 
> Is the client sending a client certificate, which my server doesn't
> like? But I don't ask for any client certificates.
> 
> System: cyrus 2.4.12
> 
> Ciao
> Marcus
> 
> 
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20170521/fbd5bb84/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2180 bytes
Desc: not available
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20170521/fbd5bb84/attachment.p7s>

More information about the Info-cyrus mailing list