Hello all, I'm encountering some peculiar behaviour with my present configuration. Sometimes, I'll get "TLS server engine: cannot load CA data," a certificate warning on the client (Certificate validation failed for unknown reasons?). Other times, it will succeed non problemo. No warning on the client, nothing. The server is set up to force encryption... if the client isn't capable, it will refuse. Here's a log output when it fails: Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: executed Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: accepted connection Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: TLS server engine: cannot load CA data Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: imapd:Loading hard-coded DH parameters Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: SSL_accept() incomplete -> wait Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: SSL_accept() succeeded -> done Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: starttls: TLSv1 with cipher AES128-SHA (128/128 bits reused) no authentication Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[32711]: fetching user_deny.db entry for '[REDACTED]' Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[32711]: login: [REDACTED] plaintext+TLS User logged in SESSIONID=<cyrus-32711-1373503297-1> Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[32711]: fetching user_deny.db entry for '[REDACTED]' Jul 11 00:41:38 cyrus/imap[32711]: last message repeated 2 times Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[31285]: fetching user_deny.db entry for '[REDACTED]' Jul 11 00:41:38 ip-10-0-0-201 cyrus/master[32712]: about to exec /usr/lib/cyrus/bin/imapd Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[32712]: executed Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[32712]: accepted connection Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[31285]: fetching user_deny.db entry for '[REDACTED]' Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: TLS server engine: cannot load CA data Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: imapd:Loading hard-coded DH parameters Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: SSL_accept() incomplete -> wait Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: SSL_accept() succeeded -> done Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: starttls: TLSv1 with cipher AES128-SHA (128/128 bits reused) no authentication Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: fetching user_deny.db entry for '[REDACTED]' Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: login: [REDACTED] plaintext+TLS User logged in SESSIONID=<cyrus-32712-1373503298-1> Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: fetching user_deny.db entry for '[REDACTED]' Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: fetching user_deny.db entry for '[REDACTED]' Jul 11 00:41:40 ip-10-0-0-201 cyrus/imap[32712]: open: user bgould opened INBOX.Apache Directory Server Jul 11 00:41:40 ip-10-0-0-201 cyrus/imap[32712]: fetching user_deny.db entry for '[REDACTED]' Annd configuration tls_ca_file: /var/www/crets/gd_bundle.crt tls_ca_path: /etc/ssl/certs imap_tls_key_file: /var/www/certs/[REDACTED 1].key tls_cert_file: /var/www/certs/[REDACTED 2].crt tls_key_file: /var/www/certs/[REDACTED 1].key imap_tls_key_file: /var/www/certs/[REDACTED 2].key There are seperate files for the cert and key as well as my CA (GoDaddy... can't go wrong since they have a sale!) (The above /var/www directories are not actually accessible to the web server. I just happened to store my web certs in there as well, so why not use the same directory for mail certs?) The certificate has the domain as well as the FQDN of the server specified. It's interesting to add that even when I get this error, the connection will still succeed encrypted. A google search of this issue indicates that it is more or less not commonly encountered. ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
