On Wed, 19 Mar 2008, Jorey Bump wrote: > Wesley Craig wrote, at 03/18/2008 08:48 PM: >> On 18 Mar 2008, at 17:55, Jorey Bump wrote: >>> http://lists.andrew.cmu.edu/pipermail/info-cyrus/2008-January/028210.html >> >> Do you use client certificates? Because the message you're quoting is >> about someone who does: >> >> http://lists.andrew.cmu.edu/pipermail/info-cyrus/2008-January/028124.html > > I guess the title of that thread pointed at the problem: "2.3.11 > STARTTLS broken if tls_ca_file is defined". But I'm almost sure I tried > undefining tls_ca_file as soon as I saw that. Anyway, removing > tls_ca_file from imapd.conf has solved my problem. > > Thanks for the help. Just for reference, I'm using the following TLS settings with 2.3.11 just fine: tls_ca_file: /etc/ssl/certs/thawte-premium.pem tls_ca_path: /etc/ssl/certs tls_cert_file: /etc/ssl/certs/imap.onid.oregonstate.edu.crt tls_key_file: /etc/ssl/certs/imap.onid.oregonstate.edu.key I only bothered adding tls_ca_file because I kept getting worthless log messages on every new connection: TLS server engine: No CA file specified. Client side certs may not work We are not using SSL client certificates, so tls_ca_file is irrelevant in our situation. Maybe the format of your CA bundle file is not what openssl expects? Do you get valid output when you run: openssl x509 -in /etc/ssl/certs/<your-ca-bundle> -text Andy ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
