Hi,
I've got since 1 or 2 month problems with TLS connection to my cyrus
server in IMAP. I will try to explain the configuration and the problem.
First of all, here is my cyrus.conf and imapd.conf :
/ETC/CYRUS.CONF :
START {
recover cmd="ctl_cyrusdb -r"
}
SERVICES {
imap cmd="imapd -p 2 -s -U 1 -T 60" listen="143" prefork=8
imaps cmd="imapd -p 2 -s -U 1 -T 60" listen="993" prefork=1
cyradm cmd="imapd -p 0 -U 1 -T 60" listen="8143" prefork=1
sieve cmd="timsieved" listen="127.0.0.1:2000" prefork=0
lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
}
EVENTS {
checkpoint cmd="ctl_cyrusdb -c" period=30
delprune cmd="ctl_deliver -E 3" period=1440
tlsprune cmd="tls_prune" period=1440
}
/ETC/IMAPD.CONF
configdirectory: /var/imap
partition-default: /var/spool/imap
sievedir: /var/imap/sieve
tls_ca_file: /etc/ssl/certs/XXXX.pem
tls_cert_file: /etc/cyrus/imap.crt
tls_key_file: /etc/cyrus/imap.key
admins: cyrus@xxxxxxxx
hashimapspool: yes
allowanonymouslogin: no
allowplaintext: yes
allowusermoves: no
sieveusehomedir: no
defaultdomain: XXXX.loc
virtdomains: yes
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN LOGIN
sasl_minimum_layer: 0
As you can see, I have a little CA, so I put the CA root certificate,
and the imap.crt is signed by XXXX.pem.
The server run a Gentoo 2006.0 installation with the following version
of cyrus-imapd and openssl :
[ebuild R ] net-mail/cyrus-imapd-2.2.12
[ebuild R ] dev-libs/openssl-0.9.7i
Here is the result of the imtest in TLS (-s on the port 143) :
imtest -p 143 -s -a XXXX@xxxxxxxx 127.0.0.1
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
S: * OK smtp Cyrus IMAP4 v2.2.12-Gentoo server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMO
RE IDLE AUTH=LOGIN AUTH=PLAIN SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE LOGIN
S: + VXNlcm5hbWU6
Please enter your password:
C: b3ViYUBvdWJhLm9yZw==
S: + UGFzc3dvcmQ6
C: bGdXM2l2e1s=
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.
With the log :
==> notice.log <==
Jul 5 14:01:07 smtp imap[27666]: starttls: TLSv1 with cipher AES256-SHA
(256/256 bits new) no authentication
Jul 5 14:01:10 smtp imap[27666]: login: localhost [127.0.0.1]
XXXX@xxxxxxxx LOGIN+TLS User logged in
And also the result of the imtest in SSL (-s on the port 993) :
imtest -p 993 -s -a XXXX@xxxxxxxx 127.0.0.1
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
S: * OK smtp Cyrus IMAP4 v2.2.12-Gentoo server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMO
RE IDLE AUTH=LOGIN AUTH=PLAIN SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE LOGIN
S: + VXNlcm5hbWU6
Please enter your password:
C: b3ViYUBvdWJhLm9yZw==
S: + UGFzc3dvcmQ6
C: bGdXM2l2e1s=
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
. LOGOUT
* BYE LOGOUT received
. OK Completed
Connection closed.
With the log :
==> notice.log <==
Jul 5 14:02:08 smtp imap[27665]: starttls: TLSv1 with cipher AES256-SHA
(256/256 bits new) no authentication
Jul 5 14:02:11 smtp imap[27665]: login: localhost [127.0.0.1]
XXXX@xxxxxxxx LOGIN+TLS User logged in
The same thing with the s_client of openssl :
penssl s_client -host 127.0.0.1 -port 143 -tls1
CONNECTED(00000003)
depth=1 /C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0
s:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=imap.XXXX.XXX/emailAddress=XXXX@xxxxxxxx
i:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
1 s:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
i:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
---
Server certificate
-----BEGIN CERTIFICATE-----
<...snip...>
-----END CERTIFICATE-----
subject=/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=imap.XXXX.XXX/emailAddress=XXXX@xxxxxxxx
issuer=/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
---
No client certificate CA names sent
---
SSL handshake has read 2058 bytes and written 300 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
CA9CCA52A78CCF48A2947BC93ADCCA46D886F571E6349AED3BBE5A49ABD1BC73
Session-ID-ctx:
Master-Key:
EEF680291C80759D9C511FD0EA081E9F198157113BC1FF845B262B7F4CBE97E6D985671CC32F9D2DF1D106A125DE4FBB
Key-Arg : None
Start Time: 1152101081
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
* OK smtp Cyrus IMAP4 v2.2.12-Gentoo server ready
. LOGOUT
* BYE LOGOUT received
. OK Completed
read:errno=0
And in SSL :
openssl s_client -host 127.0.0.1 -port 993 -ssl3
CONNECTED(00000003)
depth=1 /C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0
s:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=imap.XXXX.XXX/emailAddress=XXXX@xxxxxxxx
i:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
1 s:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
i:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
---
Server certificate
-----BEGIN CERTIFICATE-----
<...snip...>
-----END CERTIFICATE-----
subject=/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=imap.XXXX.XXX/emailAddress=XXXX@xxxxxxxx
issuer=/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=XXXX@xxxxxxxx
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 314 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : SSLv3
Cipher : AES256-SHA
Session-ID:
DF383DECC1677110482A1FEA576EB9D52EBE1E2124DD5C871C1B192F7B6FE000
Session-ID-ctx:
Master-Key:
9C92EA25D229A8847795511A83D3790E6CDDC8E7AA4B97A9DF964D4DDA054104CD93E1C852F7D0B848B3CE647F177CAA
Key-Arg : None
Start Time: 1152101127
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
* OK smtp Cyrus IMAP4 v2.2.12-Gentoo server ready
. LOGOUT
* BYE LOGOUT received
. OK Completed
read:errno=0
With the two lines of log (I didn't authenticate mysel) :
Jul 5 14:04:41 smtp imap[27742]: starttls: TLSv1 with cipher AES256-SHA
(256/256 bits new) no authentication
Jul 5 14:05:27 smtp imaps[28081]: starttls: SSLv3 with cipher
AES256-SHA (256/256 bits new) no authentication
So, it seems eveything works fine, now try to connect with thunderbird
with a fresh new profile :
If I choose SSL onto port 993 :
Jul 5 14:09:03 smtp imaps[28175]: starttls: TLSv1 with cipher
AES256-SHA (256/256 bits new) no authentication
Jul 5 14:09:09 smtp imaps[28175]: login:
4be54-5-82-244-105-30.fbx.proxad.net [82.244.105.30] XXXX@xxxxxxxx
plain+TLS User logged in
But if I switch to TLS on port 143, after a while (about 2 or 3 minutes) :
==> err.log <==
Jul 5 14:11:05 smtp imap[27757]: Fatal error: tls_start_servertls() failed
==> notice.log <==
Jul 5 14:11:05 smtp imap[27757]: imaps TLS negotiation failed:
4be54-5-82-244-105-30.fbx.proxad.net [82.244.105.30]
If I do a SSLDUMP session in TLS on port 143, I only got :
ssldump \( port 993 or port 143 \) and host www.ouba.org
New TCP connection #1: XXXX.XXXX.XXX(35964) <-> smtp.ouba.org(143)
It seems to not even try to negotiate something
But in SSL on port 993 :
ssldump \( port 993 or port 143 \) and host XXX.XXXX.XXX
New TCP connection #1: XXXX.XXXX.XXX(32799) <-> XXXX.XXXX.XXX(993)
1 1 0.0555 (0.0555) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
SSL2_CK_RC4
SSL2_CK_RC2
SSL2_CK_3DES
SSL2_CK_DES
SSL2_CK_RC4_EXPORT40
SSL2_CK_RC2_EXPORT40
Unknown value 0x39
Unknown value 0x38
Unknown value 0x35
Unknown value 0x33
Unknown value 0x32
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
Unknown value 0x2f
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
Unknown value 0xfefe
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
1 2 0.1763 (0.1208) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
58 5d aa 2a 1a dd 12 9d 98 d6 be e0 56 8b 75 a3
95 70 c3 8b 96 7b 90 de 9c 5c 75 68 f1 ef 6d d2
cipherSuite Unknown value 0x35
compressionMethod NULL
1 3 0.1813 (0.0049) S>C Handshake
Certificate
1 4 0.1813 (0.0000) S>C Handshake
ServerHelloDone
1 5 4.1021 (3.9208) C>S Handshake
ClientKeyExchange
1 6 4.1021 (0.0000) C>S ChangeCipherSpec
1 7 4.1021 (0.0000) C>S Handshake
1 8 4.1753 (0.0731) S>C ChangeCipherSpec
1 9 4.1753 (0.0000) S>C Handshake
1 10 4.2324 (0.0571) S>C application_data
1 11 4.2360 (0.0036) C>S application_data
1 12 4.2965 (0.0604) S>C application_data
Do you think the problems come from Thunderbird or from Cyrus.
Thunderbird use to works well in TLS, I've got the same problem with
Kontact. I don't try with another client, if I have the time, I wil
l have a test with Outlook Express, Outlook and Opera.
Thanks for you help if possible.
Best regards
Denis Sacchet
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
