Re: Problem with STARTTLS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 2018年04月26日 13:21, James B. Byrne via squirrelmail-users wrote:
> We have a currently running Squirremail (1.4.22-5.el6) (SM) running on
> Apache-2.2.15 all hosted on a CentOS-6.9 x64 box.  It connects via TLS
> (:993) to a Cyrus_IMAP-2.3.16 service running on a different
> CentOS-6.9 x64 host. Both services employ X509 certificates issued by
> our own CA.  All of the various bits of software are provided via the
> CentOS distribution packages.
> 
> We are in the process of migrating these services on to two new
> FreeBSD-11.1 platforms.  Again all the software involved is obtained
> through the official package manager.
> 
> I am at the point where I am attempting to connect the new SM (1.4.23
> [SVN]) running on Apache-2.4.33 to the existing IMAP service and not
> having much luck.  If I leave SM configured to use TLS on port 993
> then I get these messages logged on the IMAP server:
> 
> Apr 24 16:17:08 inet07 imaps[4420]: accepted connection
> Apr 24 16:17:08 inet07 imaps[4420]: SSL_accept() incomplete -> wait
> Apr 24 16:17:08 inet07 imaps[4420]: tlsv1 alert unknown ca in
> SSL_accept() -> fail
> Apr 24 16:17:08 inet07 imaps[4420]: imaps TLS negotiation failed:
> inet14.hamilton.harte-lyne.ca [216.185.71.14]
> Apr 24 16:17:08 inet07 imaps[4420]: Fatal error: tls_start_servertls()
> failed
> Apr 24 16:17:08 inet07 master[4398]: process 4420 exited, status 75
> Apr 24 16:17:08 inet07 master[4398]: service imaps pid 4420 in BUSY
> state: terminated abnormally
> Apr 24 16:17:10 inet07 master[4398]: process 7405 exited, status 0
> 
> If I switch to STARTTLS on port 143
> 
> 4.  IMAP Server            : imap.hamilton.harte-lyne.ca
> 5.  IMAP Port              : 143
> 6.  Authentication type    : login
> 7.  Secure IMAP (TLS)      : STARTTLS
> 8.  Server software        : cyrus
> 9.  Delimiter              : .
> 
> then I see these instead:
> 
> Apr 26 16:15:45 inet07 imap[1564]: accepted connection
> Apr 26 16:15:45 inet07 master[2814]: about to exec
> /usr/lib/cyrus-imapd/imapd
> Apr 26 16:15:45 inet07 imap[2814]: executed
> Apr 26 16:15:45 inet07 imap[1564]: imapd:Loading hard-coded DH parameters
> Apr 26 16:15:45 inet07 imap[1564]: SSL_accept() incomplete -> wait
> Apr 26 16:15:45 inet07 imap[1564]: tlsv1 alert unknown ca in
> SSL_accept() -> fail
> Apr 26 16:15:45 inet07 imap[1564]: STARTTLS negotiation failed:
> inet14.hamilton.harte-lyne.ca [216.185.71.14]
> 
> Now, the keys, certificates, and CA bundles installed on both SM
> instances are identical.  One set has been copied entirly from the
> other.  The only indication that something is wrong is the unknown ca,
> which does not appear when the existing SM service connects.  Those
> connections look like this:
> 
> Apr 26 16:16:02 inet07 imaps[2740]: accepted connection
> Apr 26 16:16:02 inet07 imaps[2740]: SSL_accept() incomplete -> wait
> Apr 26 16:16:02 inet07 imaps[2740]: SSL_accept() succeeded -> done
> Apr 26 16:16:02 inet07 imaps[2740]: starttls: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits new) no authentication
> Apr 26 16:16:02 inet07 imaps[2740]: login:
> inet04.hamilton.harte-lyne.ca [216.185.71.24]
> 
> I need some guidance as to how to debug this.

Off the top of my head, I'd suggest trying to write a small POC script
to see if you can make the connection without any other code in the way.
But it does seem clear that the IMAP server does not in fact have the
CA's certificate, despite you having said you copied it over.  OTOH, the
SquirrelMail instance might be sending a different certificate than you
expected.  Maybe you can check to see if you can get Cyrus to dump out
what certificates are actually being exchanged.

-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users




[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux