Re: sslv3 alert certificate unknown in SSL_accept() -> fail

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Marcus!

Problem looks like java app cannot validate new cert. Check ssl_store for your java based mail gate. Are there CA and Intermediate SSL Certificates for your new 256ssl cert in mail gate ssl store?


Hi,

today I changed my SSL certificates to "sha256WithRSAEncryption",
because Thunderbird started complaining about me old SHA1
certificates. ;) One pop3s client (it's a kind of java based mailgate)
causes a lot of these errors, not at each connect, but on about two of
140 mailbox connects within 5 minutes:


mail log:
----------
May 20 23:14:02 mailserv cyrus/pop3s[17825]: accepted connection
May 20 23:14:02 mailserv cyrus/pop3s[17825]: SSL_accept() incomplete ->
wait
May 20 23:14:02 mailserv cyrus/pop3s[17825]: sslv3 alert certificate
unknown in SSL_accept() -> fail
May 20 23:14:02 mailserv cyrus/pop3s[17825]: pop3s failed:
ppp-xx-xx-xx-xx.domain.de [xx.xx.xx.xx]
May 20 23:14:02 mailserv cyrus/pop3s[17825]: Fatal error:
tls_start_servertls() failed
May 20 23:14:02 mailserv cyrus/pop3s[17825]: counts: retr=<0> top=<0>
dele=<0>
----------

error log:
----------
May 20 23:12:07 mailserv cyrus/pop3s[17838]: Fatal error:
tls_start_servertls() failed
----------

If I check pop3s with my Thunderbird or other clients everything is
fine. SSL checker e.g. on https://decoder.link/sslchecker doesn't show
any errors and it's only this one pop3 client, which causes this error.

I didn't changed anything in imap.conf, but replacing cert files and
reload imapd

tls_cert_file
tls_key_file
tls_ca_file

tls_cipher_list is unchanged:
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH

Is the client sending a client certificate, which my server doesn't
like? But I don't ask for any client certificates.

System: cyrus 2.4.12

Ciao
Marcus


----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Attachment: smime.p7s
Description: S/MIME cryptographic signature

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux