Sebastian Hagedorn wrote:
Hi,
please don't write to me personally but keep this on the list instead.
--On 15. Januar 2008 10:32:16 +0100 jc.duss59@xxxxxxxxxxx wrote:
Here is my log, when i try to open a connection in TLS.
Jan 15 10:29:54 imaptest master[1024]: about to exec
/usr/local/cyrus/bin/imapd Jan 15 10:29:54 imaptest imap[1024]: executed
Jan 15 10:29:54 imaptest imap[1024]: accepted connection
Jan 15 10:29:54 imaptest imap[1024]: imapd:Loading hard-coded DH
parameters Jan 15 10:29:54 imaptest imap[1024]: wrong version number in
SSL_accept() -> fail Jan 15 10:29:54 imaptest imap[1024]: STARTTLS
negotiation failed: [10.1.45.1] Jan 15 10:29:55 imaptest imap[1024]:
accepted connection
Jan 15 10:29:55 imaptest imap[1024]: wrong version number in SSL_accept()
-> fail Jan 15 10:29:55 imaptest imap[1024]: STARTTLS negotiation failed:
[10.1.45.1]
Thanks a lot for further information.
OK, I guess that's helpful. The reason for the failure is this line:
wrong version number in SSL_accept() -> fail
Now the question is why that happens. This is the code that logs the line:
case SSL_ERROR_SSL:
err = ERR_get_error();
if (err == 0) {
syslog(LOG_DEBUG, "protocol error in SSL_accept() -> fail");
} else {
syslog(LOG_DEBUG, "%s in SSL_accept() -> fail",
ERR_reason_error_string(err));
}
break;
So the server notes an SSL error, logs it and drops the connection. The
cause for the error seems to be something like this:
"Versions in client/server SSL records do not agree.
Probably your client sends SSL2 client_hello handshake
message and server is configured only for SSL3/TLS1.
In this situation server does not accept SSL2
client_hello what is being manifested by "wrong version
number" error.
To resolve this error you may disable SSL2 on client
or enable SSL2 handshake on server.
tcpdump output from wrong session handshake
may be helpful too."
What I don't understand is how it could've worked in earlier versions.
Anyway, could this be a client issue? Can you try other clients to see
if they handle this differently? Can you disable SSLv2 in your client?
I had the same problem this morning after running 2.3.11 for over nine
days. In my case restarting Thunderbird fixed my problem for now.
Jan 15 13:28:42 student imap[9814]: wrong version number in SSL_accept()
-> fail
Jan 15 13:28:42 student imap[9814]: STARTTLS negotiation failed:
TradeMart-2.EDnet.NS.CA [142.227.51.61]
------------------------------------------------------------------------
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
begin:vcard
fn:Patrick Boutilier
n:Boutilier;Patrick
org:;Nova Scotia Department of Education
adr:;;2021 Brunswick Street;Halifax;NS;B3K 2Y5;Canada
email;internet:boutilpj@xxxxxxxxxxx
title:WAN Communications Specialist
tel;work:902-424-6800
tel;fax:902-424-0874
version:2.1
end:vcard
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
