[prev in list] [next in list] [prev in thread] [next in thread]
List: info-cyrus
Subject: Re: Expire (manually) TLS sessions?
From: Jorey Bump <list () joreybump ! com>
Date: 2009-01-21 20:27:54
Message-ID: 4977854A.9040502 () joreybump ! com
[Download RAW message or body]
Jeff Blaine wrote, at 01/21/2009 01:36 PM:
> bash-2.05# su cyrus -c "/imapsrv/mail/cyrus/bin/imtest -t
> /var/imap/server.pem imapsrv"
My understanding is that you only specify a keyfile if you're testing
client certificate authentication. For a normal test of TLS encryption,
it should be empty (but quoted):
imtest -u bob -a bob -t "" mail.example.com
You'll still see this:
> S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN
> SASL-IR] imapsrv.our.com Cyrus IMAP v2.3.13 server ready
> C: S01 STARTTLS
> S: S01 OK Begin TLS negotiation now
> verify error:num :unable to get local issuer certificate
> verify error:num':certificate not trusted
> verify error:num!:unable to verify the first certificate
But you shouldn't see this:
> SSL_connect error 0
> SSL session removed
> failure: TLS negotiation failed!
If it works, you'll see this instead:
TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
C: C01 CAPABILITY
...
BTW, you probably shouldn't be advertising AUTH=PLAIN pre-STARTTLS. Try
something like this in imapd.conf, adjusted for the mechanisms you support:
# authentication
sasl_pwcheck_method: auxprop
sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
allowplaintext: no
# use this to enforce TLS with plaintext mechanisms
sasl_minimum_layer: 128
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic