brian wrote: > cyrus-imapd-2.3.9-7.fc7 > openssl-0.9.8b-15.fc7 > > I'm trying (and failing) to set up TLS and hope someone might be able to > shed some light on my problem. Authentication failed so I checked > maillog and found: > > imap[30288]: TLS server engine: cannot load CA data > imap[30288]: unable to get certificate from > '/etc/pki/tls/certs/imapcert.pem' > imap[30288]: TLS server engine: cannot load cert/key data > imap[30288]: error initializing TLS > > > # ls -l /etc/pki/tls/certs/ > total 456 > -rw-r--r-- 1 root root 2240 Oct 12 10:55 Makefile > -rw-r--r-- 1 root root 441017 Jun 21 2006 ca-bundle.crt > -rw-r--r-- 1 root root 3250 Apr 10 23:46 imapcert.pem > -rw-r--r-- 1 root root 887 Apr 10 23:40 imapkey.pem > -rw-r--r-- 1 root root 712 Apr 10 23:40 imapreq.pem > -rwxr-xr-x 1 root root 610 Oct 12 10:55 make-dummy-cert > > The file imapcert.pem is the self-signed cert created while following > Patrick Koetter's SMTP AUTH tutorial[1] As it's easily readable (the > cert, though Patrick's tut has been terrificly helpful), I'm wondering > if I've made some blunder in creating it. > > # openssl s_server \ > -cert /etc/pki/tls/certs/imapcert.pem \ > -key /etc/pki/tls/certs/imapkey.pem > Using default temp DH parameters > ACCEPT > > After this, issuing 'Q' does not quit for some reason. But it appears to > me that the cert is good, though I can't claim to be a wizard with the > openssl tools (else I wouldn't be requesting help ;-) > > Any ideas of what else I should be looking for? > > Also, further on in maillog, I see: > imap[30288]: DBERROR db4: Database handles still open at environment close > imap[30288]: DBERROR db4: Open database handle: > /var/lib/imap/tls_sessions.db > imap[30288]: DBERROR: error exiting application: Invalid argument > > Is this something I should be concerned about? I have log_level = 3, FWIW. > > > [1] http://postfix.state-of-mind.de/patrick.koetter/smtpauth/ > ---- > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html I've just noticed that i neglected to add the client part of the test. I repeated it and paste here: # openssl s_server -cert /etc/pki/tls/certs/imapcert.pem -key /etc/pki/tls/certs/imapkey.pem [from 2nd terminal] # sudo netstat -ntpl | grep :4433 tcp 0 0 :::4433 :::* LISTEN 7737/openssl # openssl s_client -connect localhost:4433 -CApath /etc/pki/CA -CAfile /etc/pki/CA/cacert.pem [abbreviated output follows] CONNECTED(00000003) depth=1 /C=CA/ST=Ontario/O=zijn digital/OU=server/CN=MYDOMAIN/emailAddress=root@MYDOMAIN verify return:1 depth=0 /C=CA/ST=Ontario/L=Stratford/O=zijn digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster@MYDOMAIN verify return:1 --- Certificate chain 0 s:/C=CA/ST=Ontario/L=Stratford/O=zijn digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster@MYDOMAIN i:/C=CA/ST=Ontario/O=zijn digital/OU=server/CN=MYDOMAIN/emailAddress=root@MYDOMAIN --- Server certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- subject=/C=CA/ST=Ontario/L=Stratford/O=zijn digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster@MYDOMAIN issuer=/C=CA/ST=Ontario/O=zijn digital/OU=server/CN=MYDOMAIN/emailAddress=root@MYDOMAIN --- No client certificate CA names sent --- SSL handshake has read 1203 bytes and written 267 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: ... Session-ID-ctx: Master-Key: ... Key-Arg : None Krb5 Principal: None Start Time: 1207936431 Timeout : 300 (sec) Verify return code: 0 (ok) --- ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
