Re: Expire (manually) TLS sessions?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Jeff,
--On 21. Januar 2009 11:19:31 -0500 Jeff Blaine <jblaine@xxxxxxxxxxxx> wrote: 


Sorry for the delay -- I had my wedding and a brief
mini-honeymoon to attend to ;)


congrats!


How about Thunderbird using a password for authentication? Is that an
option at all?


I realize this is a little "all over the road" here,
but bear with me as I am just trying to get something
working at this point for our users who are now
without secure IMAP :(

With "TLS" selected in Thunderbird, I am given no
choice but to select a client certificate.  See
attached images.
I wonder why that is. The only reason that comes to mind is that you *have* a certificate. I don't and so I'm never asked to use it. So why don't you try removing your certificate? Honestly, I would expect the same to happen that happens when you use SSL, but you never know. 


Another user reports that GNU Emacs with the Gnus
client works with SSL and port 993.  I've confirmed
this in the log:

Jan 21 11:11:03 imapsrv imaps[14170]: [ID 277583 local6.notice] login:
jimbo-host.our.com [xx.xx.50.67] jimbo plaintext+TLS User logged in

If I configure Thunderbird to do that (SSL via 993),
I get the following:

Jan 21 11:10:19 imapsrv imaps[14104]: [ID 636471 local6.notice] TLS
server engine: cannot load CA data
Jan 21 11:10:19 imapsrv imaps[14104]: [ID 286863 local6.notice]
imapd:Loading hard-coded DH parameters
Jan 21 11:10:19 imapsrv imaps[14104]: [ID 798856 local6.notice] imaps TLS
negotiation failed: myclient.our.com
Jan 21 11:10:19 imapsrv imaps[14104]: [ID 637875 local6.error] Fatal
error: tls_start_servertls() failed
I have no idea why that happens. I just tried it myself and got the following in our log: 

Jan 21 18:17:48 lvr13 imaps[9855]: accepted connection
Jan 21 18:17:48 lvr13 imaps[9855]: SSL_accept() incomplete -> wait
Jan 21 18:17:48 lvr13 imaps[9855]: SSL_accept() succeeded -> done
Jan 21 18:17:48 lvr13 imaps[9855]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication 
Jan 21 18:17:53 lvr13 imaps[9855]: login: [redacted] User logged in
Could it be that your OpenSSL version or your certificate somehow don't support features that Thunderbird requires? I'm really no expert, but I know that client and server *negotiate* about these things. And the error reads "negotiation failed" ...
If your server is accessible over the Internet, perhaps I could try connecting to it with "openssl s_client". That might tell us something. You can try that as well, of course. 
--
    .:.Sebastian Hagedorn - RZKR-R1 (Gebäude 52), Zimmer 18.:.
Zentrum für angewandte Informatik - Universitätsweiter Service RRZK
.:.Universität zu Köln / Cologne University - ✆ +49-221-478-5587.:.
                  .:.:.:.Skype: shagedorn.:.:.:.

Attachment: pgpTf9AqH6nu3.pgp
Description: PGP signature

----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux