Re: 2.3.11 STARTTLS broken if tls_ca_file is defined

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

please don't write to me personally but keep this on the list instead.

--On 15. Januar 2008 10:32:16 +0100 jc.duss59@xxxxxxxxxxx wrote:


Here is my log, when i try to open a connection in TLS.

Jan 15 10:29:54 imaptest master[1024]: about to exec
/usr/local/cyrus/bin/imapd Jan 15 10:29:54 imaptest imap[1024]: executed
Jan 15 10:29:54 imaptest imap[1024]: accepted connection
Jan 15 10:29:54 imaptest imap[1024]: imapd:Loading hard-coded DH
parameters Jan 15 10:29:54 imaptest imap[1024]: wrong version number in
SSL_accept() -> fail Jan 15 10:29:54 imaptest imap[1024]: STARTTLS
negotiation failed: [10.1.45.1] Jan 15 10:29:55 imaptest imap[1024]:
accepted connection
Jan 15 10:29:55 imaptest imap[1024]: wrong version number in SSL_accept()
-> fail Jan 15 10:29:55 imaptest imap[1024]: STARTTLS negotiation failed:
[10.1.45.1]

Thanks a lot for further information.


OK, I guess that's helpful. The reason for the failure is this line:

wrong version number in SSL_accept() -> fail

Now the question is why that happens. This is the code that logs the line:

       case SSL_ERROR_SSL:
           err = ERR_get_error();
           if (err == 0) {
               syslog(LOG_DEBUG, "protocol error in SSL_accept() -> fail");
           } else {
               syslog(LOG_DEBUG, "%s in SSL_accept() -> fail",
                      ERR_reason_error_string(err));
           }
           break;
So the server notes an SSL error, logs it and drops the connection. The cause for the error seems to be something like this: 

"Versions in client/server SSL records do not agree.
Probably your client sends SSL2 client_hello handshake
message and server is configured only for SSL3/TLS1.
In this situation server does not accept SSL2
client_hello what is being manifested by "wrong version
number" error.
To resolve this error you may disable SSL2 on client
or enable SSL2 handshake on server.
tcpdump output from wrong session handshake
may be helpful too."
What I don't understand is how it could've worked in earlier versions. Anyway, could this be a client issue? Can you try other clients to see if they handle this differently? Can you disable SSLv2 in your client? 
--
    .:.Sebastian Hagedorn - RZKR-R1 (Gebäude 52), Zimmer 18.:.
Zentrum für angewandte Informatik - Universitätsweiter Service RRZK
.:.Universität zu Köln / Cologne University - ✆ +49-221-478-5587.:.
                  .:.:.:.Skype: shagedorn.:.:.:.

Attachment: pgpBN1HkI5LPy.pgp
Description: PGP signature

----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux