Wesley Craig wrote, at 03/20/2008 01:57 PM: > On 20 Mar 2008, at 13:07, Jorey Bump wrote: >> On a lark, I pointed tls_ca_file to an old root certificate I once >> needed for a chained root. It contains only a single certificate, and >> STARTTLS connections on port 143 work when it is defined. > > This suggests a specific problem with the cert bundle you're using. I think you're right. I just tried all of the other bundles that came with the system and met with mixed results. The only one that worked that contained multiple certificates was provided with curl 7.16.2. It's definitely in a different format: Cert Title ========== MD5 Fingerprint: [fingerprint] PEM Data: -----BEGIN CERTIFICATE----- [certificate in PEM format] -----END CERTIFICATE----- Certificate Ingredients: [verbose data] ...more certs... The ones that fail are simply bundles of the PEM data only: -----BEGIN CERTIFICATE----- [certificate in PEM format] -----END CERTIFICATE----- ...more... Cyrus 2.3.11 (and possibly other versions after 2.3.7) no longer seems to like these. >> Why is the CA file checked if no >> client cert is presented (unless it's needed for SASL-IR)? I'll have to >> search the changelog or code when I have the time. > > The way the code is currently written, if you're using imaps, the server > will be implicitly prepared to accept a client cert. Of course, if no > CAfile is defined, you'll get that spurious error! There seems to be an > assuption that CAfile implies something different than CApath -- it > doesn't. I think the code should be changed to not tell the client that > a cert will be accepted if neither CAfile nor CApath is defined. Does it? They're empty by default, which fixed my problem, so isn't that already the case? > Does your Thunderbird have access to any client certificates? Since the > server will advertise that it accepts them, even tho it probably can't > use them, I wonder if this isn't the cause of your version mismatch > error message. Well, it's working with the curl bundle, so your earlier suspicion about the incompatible bundle bears out. I encountered the problem with both Thunderbird and imtest. Since imtest easily supports testing with client certificates, I'll try it out when I get a chance. It will be interesting to add some different local roots and test with multiple certificates. In the meantime, I'll just use the curl CA bundle as a matter of routine. Thanks for the help! ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html