-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
hi mitu,
Cristi Mitrana wrote, On 8/11/06 12:52 PM:
> Are you sure that the file above is a x.509 valid certificate and not
> it's private key ?
i'd actually resolved this & posted the info to the dev list -- which i
just realised is a closed archive.
so, i'll just repost to this thread for posterity ...
thanks for the reminder :-)
richard
===============================
hi,
this is an FYI of a problem with CyrusIMAPd + OSX + OpenSSL.
it's real & reproducible.
it's an openssl problem, but it affect TLS w/ Cyrus.
there's a fix.
someone here should be aware of this.
hth!
i've installed on OSX 10.4.7:
cyrus-imapd-2.3.7
OpenSSL 0.9.8b
i'm working on getting TLS installed/operational.
i've config'd imapd.conf
tls_ca_file: /var/MailServer/Data/CERTS/main.CA.cert.rsa.pem
tls_cert_file:
/var/MailServer/Data/CERTS/mail.testdomain.com.CYRUSkey.rsa.pem
tls_key_file:
/var/MailServer/Data/CERTS/mail.testdomain.com.CYRUSkey.rsa.pem
on:
imtest -v \
-t "/var/MailServer/Data/CERTS/mail.testdomain.com.CYRUSkey.rsa.pem" \
-p imap \
-m digest-md5 \
-a devuser.admin@xxxxxxxxxxxxxxxxxxx \
-u devuser.admin@xxxxxxxxxxxxxxxxxxx \
-r mail.testdomain.com \
mail.testdomain.com
i was getting repeated failures:
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED
AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 SASL-IR]
mail.testdomain.com Cyrus IMAP4 v2.3.7 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED
AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 SASL-IR ACL RIGHTS=kxte
QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT
CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT
THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT
LIST-SUBSCRIBED URLAUTH
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
starting TLS engine
unable to get certificate from
'/var/MailServer/Data/CERTS/mail.testdomain.com.CYRUSkey.rsa.pem'
TLS engine: cannot load cert/key data
Start TLS engine failed
Asking for capabilities again since they might have changed
C: C01 CAPABILITY
S: S01 NO Starttls negotiation failed
S: * BAD Invalid tag
on check of cert installation:
openssl s_client -connect mail.testdomain.com:993 -showcerts
i noted:
16458:error:25066067:DSO support routines:DLFCN_LOAD:could not load the
shared library:dso_dlfcn.c:162:filename(libz.so): dlopen(libz.so, 2):
image not found
16458:error:25070067:DSO support routines:DSO_load:could not load the
shared library:dso_lib.c:244:
CONNECTED(00000003)
...
after digging, i was able to identify/reproduce re: "dso_lib.c":
openssl engine gmp
16515:error:2506406A:DSO support routines:DLFCN_BIND_FUNC:could not
bind to the requested symbol name:dso_dlfcn.c:261:symname(bind_engine):
dlsym(0x200e40, bind_engine): symbol not found
16515:error:2506C06A:DSO support routines:DSO_bind_func:could not bind
to the requested symbol name:dso_lib.c:294:
16515:error:260B6068:engine routines:DYNAMIC_LOAD:DSO
failure:eng_dyn.c:463:
16515:error:2606A074:engine routines:ENGINE_by_id:no such
engine:eng_list.c:415:id=gmp
it turns out that openssl's gmp engine wants to bind, incorrectly,
against libz.so.
as my openssl is config'd w/:
# DO NOT USE zlib-dynamic \
# causes dynamic library loading issues with gmp engine ...
./Configure \
--prefix=/usr/local/ssl \
--openssldir=/usr/local/ssl \
darwin-ppc-cc \
-DUSE_TOD \
threads \
shared \
- - --> zlib-dynamic \
enable-idea enable-rc5 enable-mdc2 \
-L/usr/local/lib \
-DOPENSSL_USE_GMP -lgmp
and:
zlib-dynamic
Like "zlib", but has OpenSSL load the zlib library
dynamically when needed. This is only supported on
systems where loading of shared libraries is supported.
This is the default choice.
and, dynamic loading of shared libs is certainly supported on OSX, the
openssl build *should* be linking against "libz.dylib" :
ls -al /usr/local/lib/libz*
-rwxr-xr-x 1 dev wheel 84808 Mar 7 20:23 /usr/local/lib/libz.1.2.3.dylib
lrwxrwxrwx 1 dev wheel 16 Jun 22 18:13 /usr/local/lib/libz.1.dylib
- - - -> libz.1.2.3.dylib
-rw-r--r-- 1 dev wheel 93720 Mar 7 20:23 /usr/local/lib/libz.a
lrwxrwxrwx 1 dev wheel 16 Jun 22 18:13 /usr/local/lib/libz.dylib ->
libz.1.2.3.dylib
this issue *has* been communicated to the opensssl-dev list (still
pending a fix ...)
in the meantime, the "workaround" for Cyrus/TLS is to build openssl w/:
./Configure \
...
--- zlib-dynamic \
+++ zlib \
...
instead.
( NOTE: for other unrelated reasons, you may need to simply forego
the "zlib" altogehter, and link in -lz with LDFLAGS ...)
once done, retrying, as above:
imtest -v \
...
reports success as:
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED]
mail.testdomain.com Cyrus IMAP4 v2.3.7 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED ACL
RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME
UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE
IDLE LISTEXT LIST-SUBSCRIBED URLAUTH
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=PLAIN
AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
AUTH=CRAM-MD5 AUTH=CRAM-MD5 SASL-IR ACL RIGHTS=kxte QUOTA
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT
THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT
LIST-SUBSCRIBED URLAUTH
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
...
and, as well:
openssl s_client -connect mail.testdomain.com:993 -showcerts
reports w/o error:
CONNECTED(00000003)
...
Bottom Line:
(1) openssl is broken. it's been reported.
(2) this is a Mac-only issue.
(3) this gmp-related failure manifests w/ Cyrus+TLS,
and nowhere else; so far all other apps haven't had
any issue with TLS certs built with this 'broken' openssl
i honestly don't know why this "only" shows up in Cyrus. is it a bug in
cyrus as well? or just in openssl?
either way, there's a workaround ... but, imho, this is worthy om
someone's nominal notice here.
cheers,
richard
===============================
- --
/"\
\ / ASCII Ribbon Campaign
X against HTML email, vCards
/ \ & micro$oft attachments
[GPG] OpenMacNews at gmail dot com
fingerprint: 50C9 1C46 2F8F DE42 2EDB D460 95F7 DDBD 3671 08C6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iEYEAREDAAYFAkTc5lAACgkQlffdvTZxCMZ81QCfRfZLGKfR/GXgNB5awFrIgCTR
K4QAniBHV+IUUOP3sP7g/9WCSYdTW7x1
=6HLn
-----END PGP SIGNATURE-----
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
