On Sat, 21 Nov 2009, Rich Wales wrote: > Recently, I installed new "StartSSL Free" SSL certificates from StartCom > on these servers. After doing so, I could no longer connect securely to > Cyrus in any mode (imaps, imap + starttls, pop3s, pop3 + starttls) -- the > client sat for a long time before timing out, and the syslog messages > on the server spoke vaguely about "STARTTLS negotiation failed", "Fatal > error: tls_start_servertls() failed", etc. I don't know but the symptoms sound familiar (see my previous mail with the subject line "STARTTLS TLS handshake fails after ServerKeyExchange"). We tried to debug the problem by adding some logging to both Cyrus' and OpenSSL's code. The problem may somehow be related to the CA file reading. (My understanding of OpenSSL is too limited but after all it all came down to a return value of -1 from BIO_write library call or something...) Anyway, removing extra CA's from ca-bundle.crt seems to fix it for us too. -Jukka Huhta ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
