I always had tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt defined in my imapd.conf.
FWIW: I have a tls_ca_file defined as well.
Since I updated to 2.3.11 yesterday STARTTLS didn't work anymore because negotiation failed and timed out. $CLIENT was waiting for more packets from server AFAIS in a tcpdump, where $CLIENT is Thunderbird, gnutls-cli, apple-mail.
Hm, I don't run 2.3.11 proper, but my locally built version contains the modified tls.c etc. So I would think that it should behave the same way as 2.3.11, but of course I can't be sure. And here STARTTLS works fine.
IMAPS always worked...so I searched for differences in the code and found the "client cert verfication" code triggered by askcert == 1 in tls.c:738
Hm, do you use client certificates? We don't ...
Log always showed: 00:00 imap[8508]: accepted connection +02 imap[8508]: SSL_accept() incomplete -> wait <- here the client waits +23 imap[8508]: EOF in SSL_accept() -> fail <- here client sent FIN
That code is where all the changes were made. It's conceivable that there are cases where the new approach breaks.
--
.:.Sebastian Hagedorn - RZKR-R1 (Gebäude 52), Zimmer 18.:.
Zentrum für angewandte Informatik - Universitätsweiter Service RRZK
.:.Universität zu Köln / Cologne University - ✆ +49-221-478-5587.:.
.:.:.:.Skype: shagedorn.:.:.:.Attachment:
pgpPoXIKwGY8h.pgp
Description: PGP signature
---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
