We have a currently running Squirremail (1.4.22-5.el6) (SM) running on
Apache-2.2.15 all hosted on a CentOS-6.9 x64 box. It connects via TLS
(:993) to a Cyrus_IMAP-2.3.16 service running on a different
CentOS-6.9 x64 host. Both services employ X509 certificates issued by
our own CA. All of the various bits of software are provided via the
CentOS distribution packages.
We are in the process of migrating these services on to two new
FreeBSD-11.1 platforms. Again all the software involved is obtained
through the official package manager.
I am at the point where I am attempting to connect the new SM (1.4.23
[SVN]) running on Apache-2.4.33 to the existing IMAP service and not
having much luck. If I leave SM configured to use TLS on port 993
then I get these messages logged on the IMAP server:
Apr 24 16:17:08 inet07 imaps[4420]: accepted connection
Apr 24 16:17:08 inet07 imaps[4420]: SSL_accept() incomplete -> wait
Apr 24 16:17:08 inet07 imaps[4420]: tlsv1 alert unknown ca in
SSL_accept() -> fail
Apr 24 16:17:08 inet07 imaps[4420]: imaps TLS negotiation failed:
inet14.hamilton.harte-lyne.ca [216.185.71.14]
Apr 24 16:17:08 inet07 imaps[4420]: Fatal error: tls_start_servertls()
failed
Apr 24 16:17:08 inet07 master[4398]: process 4420 exited, status 75
Apr 24 16:17:08 inet07 master[4398]: service imaps pid 4420 in BUSY
state: terminated abnormally
Apr 24 16:17:10 inet07 master[4398]: process 7405 exited, status 0
If I switch to STARTTLS on port 143
4. IMAP Server : imap.hamilton.harte-lyne.ca
5. IMAP Port : 143
6. Authentication type : login
7. Secure IMAP (TLS) : STARTTLS
8. Server software : cyrus
9. Delimiter : .
then I see these instead:
Apr 26 16:15:45 inet07 imap[1564]: accepted connection
Apr 26 16:15:45 inet07 master[2814]: about to exec
/usr/lib/cyrus-imapd/imapd
Apr 26 16:15:45 inet07 imap[2814]: executed
Apr 26 16:15:45 inet07 imap[1564]: imapd:Loading hard-coded DH parameters
Apr 26 16:15:45 inet07 imap[1564]: SSL_accept() incomplete -> wait
Apr 26 16:15:45 inet07 imap[1564]: tlsv1 alert unknown ca in
SSL_accept() -> fail
Apr 26 16:15:45 inet07 imap[1564]: STARTTLS negotiation failed:
inet14.hamilton.harte-lyne.ca [216.185.71.14]
Now, the keys, certificates, and CA bundles installed on both SM
instances are identical. One set has been copied entirly from the
other. The only indication that something is wrong is the unknown ca,
which does not appear when the existing SM service connects. Those
connections look like this:
Apr 26 16:16:02 inet07 imaps[2740]: accepted connection
Apr 26 16:16:02 inet07 imaps[2740]: SSL_accept() incomplete -> wait
Apr 26 16:16:02 inet07 imaps[2740]: SSL_accept() succeeded -> done
Apr 26 16:16:02 inet07 imaps[2740]: starttls: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Apr 26 16:16:02 inet07 imaps[2740]: login:
inet04.hamilton.harte-lyne.ca [216.185.71.24]
I need some guidance as to how to debug this.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
