Also: bash-2.05# su cyrus -c "/imapsrv/mail/cyrus/bin/imtest -t /var/imap/server.pem imapsrv" S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN SASL-IR] imapsrv.our.com Cyrus IMAP v2.3.13 server ready C: S01 STARTTLS S: S01 OK Begin TLS negotiation now verify error:num=20:unable to get local issuer certificate verify error:num=27:certificate not trusted verify error:num=21:unable to verify the first certificate SSL_connect error 0 SSL session removed failure: TLS negotiation failed! bash-2.05# Jeff Blaine wrote: > I raised syslog info to local6.debug and the TLS session with > Thunderbird and NO certs shows this: > > Jan 21 12:59:10 imapsrv imap[1518]: [ID 636471 local6.notice] TLS server > engine: cannot load CA data > Jan 21 12:59:10 imapsrv imap[1518]: [ID 286863 local6.notice] > imapd:Loading hard-coded DH parameters > Jan 21 12:59:10 imapsrv imap[1518]: [ID 277171 local6.error] TLS server > engine: No CA file specified. Client side certs may not work > Jan 21 12:59:10 imapsrv imap[1518]: [ID 574029 local6.debug] > SSL_accept() incomplete -> wait > Jan 21 12:59:10 imapsrv imap[1518]: [ID 192010 local6.debug] decryption > failed or bad record mac in SSL_accept() -> fail > Jan 21 12:59:10 imapsrv imap[1518]: [ID 239158 local6.notice] STARTTLS > negotiation failed: myclient.our.com [xx.xx.6.52] > > Sebastian Hagedorn wrote: >> Hi Jeff, >> >> --On 21. Januar 2009 11:19:31 -0500 Jeff Blaine <jblaine@xxxxxxxxxxxx> >> wrote: >> >>> Sorry for the delay -- I had my wedding and a brief >>> mini-honeymoon to attend to ;) >> congrats! >> >>>> How about Thunderbird using a password for authentication? Is that an >>>> option at all? >>> I realize this is a little "all over the road" here, >>> but bear with me as I am just trying to get something >>> working at this point for our users who are now >>> without secure IMAP :( >>> >>> With "TLS" selected in Thunderbird, I am given no >>> choice but to select a client certificate. See >>> attached images. >> I wonder why that is. The only reason that comes to mind is that you >> *have* a certificate. I don't and so I'm never asked to use it. So why >> don't you try removing your certificate? Honestly, I would expect the >> same to happen that happens when you use SSL, but you never know. >> >>> Another user reports that GNU Emacs with the Gnus >>> client works with SSL and port 993. I've confirmed >>> this in the log: >>> >>> Jan 21 11:11:03 imapsrv imaps[14170]: [ID 277583 local6.notice] login: >>> jimbo-host.our.com [xx.xx.50.67] jimbo plaintext+TLS User logged in >>> >>> If I configure Thunderbird to do that (SSL via 993), >>> I get the following: >>> >>> Jan 21 11:10:19 imapsrv imaps[14104]: [ID 636471 local6.notice] TLS >>> server engine: cannot load CA data >>> Jan 21 11:10:19 imapsrv imaps[14104]: [ID 286863 local6.notice] >>> imapd:Loading hard-coded DH parameters >>> Jan 21 11:10:19 imapsrv imaps[14104]: [ID 798856 local6.notice] imaps TLS >>> negotiation failed: myclient.our.com >>> Jan 21 11:10:19 imapsrv imaps[14104]: [ID 637875 local6.error] Fatal >>> error: tls_start_servertls() failed >> I have no idea why that happens. I just tried it myself and got the >> following in our log: >> >> Jan 21 18:17:48 lvr13 imaps[9855]: accepted connection >> Jan 21 18:17:48 lvr13 imaps[9855]: SSL_accept() incomplete -> wait >> Jan 21 18:17:48 lvr13 imaps[9855]: SSL_accept() succeeded -> done >> Jan 21 18:17:48 lvr13 imaps[9855]: starttls: TLSv1 with cipher >> AES256-SHA (256/256 bits new) no authentication >> Jan 21 18:17:53 lvr13 imaps[9855]: login: [redacted] User logged in >> >> Could it be that your OpenSSL version or your certificate somehow don't >> support features that Thunderbird requires? I'm really no expert, but I >> know that client and server *negotiate* about these things. And the >> error reads "negotiation failed" ... >> >> If your server is accessible over the Internet, perhaps I could try >> connecting to it with "openssl s_client". That might tell us something. >> You can try that as well, of course. > ---- > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html > ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
