[prev in list] [next in list] [prev in thread] [next in thread] 

List:       info-cyrus
Subject:    Re: Expire (manually) TLS sessions?
From:       Jorey Bump <list () joreybump ! com>
Date:       2009-01-21 20:27:54
Message-ID: 4977854A.9040502 () joreybump ! com
[Download RAW message or body]

Jeff Blaine wrote, at 01/21/2009 01:36 PM:

> bash-2.05# su cyrus -c "/imapsrv/mail/cyrus/bin/imtest -t
> /var/imap/server.pem  imapsrv"

My understanding is that you only specify a keyfile if you're testing
client certificate authentication. For a normal test of TLS encryption,
it should be empty (but quoted):

 imtest -u bob -a bob -t "" mail.example.com

You'll still see this:

> S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN
> SASL-IR] imapsrv.our.com Cyrus IMAP v2.3.13 server ready
> C: S01 STARTTLS
> S: S01 OK Begin TLS negotiation now
> verify error:num :unable to get local issuer certificate
> verify error:num':certificate not trusted
> verify error:num!:unable to verify the first certificate

But you shouldn't see this:

> SSL_connect error 0
> SSL session removed
> failure: TLS negotiation failed!

If it works, you'll see this instead:

TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
C: C01 CAPABILITY
...

BTW, you probably shouldn't be advertising AUTH=PLAIN pre-STARTTLS. Try
something like this in imapd.conf, adjusted for the mechanisms you support:

 # authentication
 sasl_pwcheck_method: auxprop
 sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
 allowplaintext: no

 # use this to enforce TLS with plaintext mechanisms
 sasl_minimum_layer: 128

----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
[prev in list] [next in list] [prev in thread] [next in thread]