At 07:46 AM 9/27/2001 -0500, Amos Gouaux wrote: > >>>>> On Thu, 27 Sep 2001 01:05:53 -0400, > >>>>> Nick Simicich <[EMAIL PROTECTED]> (ns) writes: > >ns> I did some searches in the archives. If there is anything similar, >ns> searching on Eudora and ssl or tls didn't find it. Eudora will not >ns> complete TLS negotiation with Cyrus. > >Are you attempting to use the 'alternate port' configuration, or the >'starttls' configuration? I ask because we were able to get the >'alternate port' configuration to work, but not the other. Turns >out that Eudora actually tries to do 'startssl' instead of >'starttls'. (No, 'startssl' doesn't exist.)
I had actually posted a trace of one of the sessions, extracted from ethereal (before it started working). As you can see, the verb being used in, in fact, STARTSSL. So I am of the opinion that if eudora was mistakenly using a "STARTSSL" verb, that they are now using STARTTLS (and, after that, refusing to actually start a TLS session - when I made the code change to turn not reject negotiation of SSL v2 and V3, it began negotiating a SSL V3 session rather than failing to negotiate a TLS session). But I had actually attempted both the alternate port configuration and the main-port-with-startssl configuration, and they both failed in the same way - it is that Eudora does ot support TLS. I have not looked at the details of the negotiation since examining the differences between SSL V2 and SSL V3 closely when trying to determine why socksified connections to SSL V3 servers sometimes failed while SSL V2 connections always worked (some early SSL V3 implementations could not fallback when the cached secret on the server was not known to the client because it was not, in fact, the same client even though it came from the same IP address, the bypass was, in many cases, to force V2). So I don't know what, if any, advantages there are from forcing TLS, or why someone would not want to go ahead and fall back to SSL V3 other than it adheres to standards. The code change that was suggested to not force TLS but to accept the use of either TLS or SSL V2/V3 allowed things to work. >* OK parrot.squawk.com Cyrus IMAP4 v2.0.15-HIERSEP-r2 server ready >00000 CAPABILITY >* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID >NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT >THREAD=REFERENCES IDLE STARTTLS AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 >00000 OK Completed >00001 STARTTLS >00001 OK Begin TLS negotiation now >Then some binary gets put in here... >00001 NO Starttls failed >* BAD Invalid tag >* BAD Invalid tag >and a short binary burst here... >If this sounds like it might be your situation, either use the >'alternate port' or make a small change to the Cyrus code (I forget >exactly where) so that it will tolerate this non-standard >'startssl'. I understand this has been reported to Eudora. The client that I have had to force to use alternate ports is Lookout. I have not bothered to investigate why in those cases. -- We often hear of war described as if it were some kind of impersonal affliction, such as the Black Plague or famine.The fact is that war is not just something that happens, it is something that people make happen, and they make it happen for reasons. As Clausewitz said, war is the continuation of politics by other means. Exactly. War is neither a hurricane nor a flood. It is, on the contrary, the cutting edge of ideology. -- Jeff Cooper Nick Simicich - [EMAIL PROTECTED] - http://scifi.squawk.com/njs.html
