Hi! I always had tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt defined in my imapd.conf. Since I updated to 2.3.11 yesterday STARTTLS didn't work anymore because negotiation failed and timed out. $CLIENT was waiting for more packets from server AFAIS in a tcpdump, where $CLIENT is Thunderbird, gnutls-cli, apple-mail. IMAPS always worked...so I searched for differences in the code and found the "client cert verfication" code triggered by askcert == 1 in tls.c:738 Removing the tls_ca_file definition helped. I didn't find the exact cause yet since there are no changes in tls_init_serverengine() since 2.3.10. One thing I noticed was that it worked when connecting via the loopback interface. But connecting via network always failed while negotiating STARTTLS. Log always showed: 00:00 imap[8508]: accepted connection +02 imap[8508]: SSL_accept() incomplete -> wait <- here the client waits +23 imap[8508]: EOF in SSL_accept() -> fail <- here client sent FIN After the FIN from the client, the server sends lots of stuff on the dead connection and closes with "NO ssl negotiation failed". cyrus-imapd-2.3.11 was built from invoca.ch src.rpm on fc5 and rhel5.1. Both failed. Regards, Wolfgang Breyha -- Wolfgang Breyha <wbreyha@xxxxxxx> | http://www.blafasel.at/ Vienna University Computer Center | Austria ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
