We have a problem: when connecting to backend servers (with
cyradm/openssl s_client/whatever) the server just hangs in the TLS
handshake after ServerKeyExchange. The reason for this is unknown to
us.
By reading RFC 5246, it seems to me that the client waits for
CertificateRequest or ServerHelloDone which is never received.
The client is stuck in the read system call and imapd is select()ing
something. Nothing happens.
It is strange that this happens in a test environment almost every
time and in a production environment in about 1/3 of the connection
attempts BUT never when connecting to a service running on a local
node, only when connecting to a remote node. A network related issue?
Cyradm fails also when I connect to a frontend and issue a command
that requires cyradm to connect to a remote backend. Otherwise
frontends work fine (without tls_ca_file defined).
After reading tls.c and imapd.c code we came to a conclusion: When
STARTTLS is used, the server wants to ask for a client certificate
regardless of whether the client certificates are in use or not.
Since we are not using them we worked this around by adding a new
config option tls_ask_cert: 0 and using it like the attached patch
shows.
Certainly I don't want to apply this patch in the production
environment before I fully understand what's really going on and is it
at all the right way to fix this problem.
Any hints, ideas, anything?
Running Cyrus 2.3.15 (rpm 2.3.15-4 by Simon Matter) on a CentOS 5.4
cluster (openssl 0.9.8e-12.el5).
-Jukka Huhta
diff -uNr cyrus-imapd-2.3.15.orig/imap/imapd.c cyrus-imapd-2.3.15/imap/imapd.c
--- cyrus-imapd-2.3.15.orig/imap/imapd.c 2009-09-09 16:28:18.000000000 +0300
+++ cyrus-imapd-2.3.15/imap/imapd.c 2009-11-11 11:42:49.000000000 +0200
@@ -6856,7 +6856,7 @@
result=tls_init_serverengine("imap",
5, /* depth to verify */
- !imaps, /* can client auth? */
+ config_getswitch(IMAPOPT_TLS_ASK_CERT), /* can client auth? */
!imaps); /* TLS only? */
if (result == -1) {
diff -uNr cyrus-imapd-2.3.15.orig/lib/imapoptions cyrus-imapd-2.3.15/lib/imapoptions
--- cyrus-imapd-2.3.15.orig/lib/imapoptions 2009-09-09 16:28:18.000000000 +0300
+++ cyrus-imapd-2.3.15/lib/imapoptions 2009-11-11 11:41:07.000000000 +0200
@@ -1189,6 +1189,9 @@
/* The length of the IMAP server's inactivity autologout timer,
in minutes. The minimum value is 30, the default. */
+{ "tls_ask_cert", 1, SWITCH }
+/* Ask for a client certificate for ALL services (imap, pop3, lmtp, sieve). */
+
{ "tls_ca_file", NULL, STRING }
/* File containing one or more Certificate Authority (CA) certificates. */
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
