A new cert did not solve the problem: Jan 16 09:41:30 imapsrv imap[12264]: [ID 921384 local6.debug] accepted connection Jan 16 09:41:30 imapsrv imap[12264]: [ID 192010 local6.debug] wrong version number in SSL_accept() -> fail Jan 16 09:41:30 imapsrv imap[12264]: [ID 239158 local6.notice] STARTTLS negotiation failed: bva-172.our.com Jeff Blaine wrote: > Sebastian Hagedorn wrote: >> --On 16. Januar 2009 07:48:18 -0500 Jeff Blaine <jblaine@xxxxxxxxxxxx> >> wrote: >> >>> More info after increasing local6.info to local6.debug for >>> syslog: >>> >>> accepted connection >>> imapd:Loading hard-coded DH parameters >>> SSL_accept() incomplete -> wait >>> decryption failed or bad record mac in SSL_accept() -> fail >>> STARTTLS negotiation failed: bva-172.our.com >>> >>> Our TLS all worked fine before the upgrade :( >> >> I'm pretty sure the tls_cache is a red herring. The SSL/TLS code >> changed a lot between 2.2 and 2.3. My guess would be that there lies >> the actual problem. >> >> I wonder where the line "Loading hard-coded DH parameters" comes from. >> I haven't seen that before. Anyway, I guess you need an SSL expert to >> make sense of that. How old is your certificate? Maybe the new code >> doesn't like it? Did you build the binary yourself or where did you >> get it? > > The certificate is 1 year 10 months old. > > Everything was built by hand (as it was with our 2.2.12 > install as well). > > I'll try redoing the cert. > ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
