Alright, I'm breaking down and turning to you guys for help. I know, it's not even about the latest cutting edge development branch but rather a 2.0.16 problem. My descendents will be cursed for generations to come because of this, yet I have no one else to turn to. Please, loan me your pity and perhaps a moment of your time.
So, I have Cyrus imapd 2.0.16 installed wonderfully and everything has been oh-so-gleeful because of it. However, I can never let the slumbering beast lie and I was overcome with the urge to enable SSL/TLS. That is the Right Thing to Do (tm) after all, but I seem to have snagged myself on some problems. From what I can tell, I'm receiving a read/write error while transfering the cert. (This is the part of the plea-for-help where I post obnoxiously long and obtuse console dumps). This is as much info as I can seem to get the programs to dump out, as well as some debugging info I have inserted into the programs: zazu 16# imtest -v -t "" zazu.atc.missouri.edu C: C01 CAPABILITY S: * OK zazu Cyrus IMAP4 v2.0.16 server ready S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=DIGEST-MD5 AUTH=CRAM-MD5 S: C01 OK Completed S01 OK Begin TLS negotiation now starting TLS engine setting up TLS connection SSL_connect:before/connect initialization write to 100EB360 [10101600] (90 bytes => 90 (0x5A)) 0000 16 03 01 00 55 01 00 00|51 03 01 3c da e5 4d 5f 0010 96 53 98 7e 93 dd 61 4b|42 d4 0c 29 6e 73 dd 3f 0020 8a 3c dc 21 91 28 ec b8|76 17 fa 00 00 2a 00 16 0030 00 13 00 0a 00 66 00 07|00 05 00 04 00 65 00 64 0040 00 63 00 62 00 61 00 60|00 15 00 12 00 09 00 14 0050 00 11 00 08 00 06 00 03|01 005a - <SPACES/NULS> SSL_connect:SSLv3 write client hello A read from 100EB360 [100F8DF0] (5 bytes => 5 (0x5)) 0000 16 03 01 00 4a read from 100EB360 [100F8DF5] (74 bytes => 74 (0x4A)) 0000 02 00 00 46 03 01 3c da|e5 4d d3 3b cf ce 72 43 0010 dc 53 42 79 15 71 89 83|4f 99 ec 89 a5 e2 74 0d 0020 d0 8f ca dc 37 55 20 5f|2f 98 7c 94 aa d2 e1 4b 0030 59 26 0d 91 8b 0b bd dd|a8 1f 5a 96 4f bd ac cb 0040 5d ef 99 81 33 13 ef 00|0a 004a - <SPACES/NULS> SSL_connect:SSLv3 read server hello A read from 100EB360 [100F8DF0] (5 bytes => 5 (0x5)) 0000 16 03 01 04 d1 read from 100EB360 [100F8DF5] (1233 bytes => 940 (0x3AC)) 0000 0b 00 04 cd 00 04 ca 00|04 c7 30 82 04 c3 30 82 0010 04 2c a0 03 02 01 02 02|01 00 30 0d 06 09 2a 86 0020 48 86 f7 0d 01 01 04 05|00 30 81 f7 31 0b 30 09 0030 06 03 55 04 06 13 02 55|53 31 11 30 0f 06 03 55 0040 04 08 13 08 4d 69 73 73|6f 75 72 69 31 11 30 0f 0050 06 03 55 04 07 13 08 43|6f 6c 75 6d 62 69 61 31 0060 1f 30 1d 06 03 55 04 0a|13 16 55 6e 69 76 65 72 0070 73 69 74 79 20 6f 66 20|4d 69 73 73 6f 75 72 69 0080 31 33 30 31 06 03 55 04|0a 13 2a 49 6e 66 6f 72 0090 6d 61 74 69 6f 6e 20 61|6e 64 20 41 63 63 65 73 00a0 73 20 54 65 63 68 6e 6f|6c 6f 67 79 20 53 65 72 00b0 76 69 63 65 73 31 24 30|22 06 03 55 04 0b 13 1b 00c0 45 6d 65 72 67 69 6e 67|20 54 65 63 68 6e 6f 6c 00d0 6f 67 69 65 73 20 47 72|6f 75 70 31 1e 30 1c 06 00e0 03 55 04 03 13 15 7a 61|7a 75 2e 61 74 63 2e 6d 00f0 69 73 73 6f 75 72 69 2e|65 64 75 31 26 30 24 06 0100 09 2a 86 48 86 f7 0d 01|09 01 16 17 63 63 74 68 0110 61 64 40 61 74 63 2e 6d|69 73 73 6f 75 72 69 2e 0120 65 64 75 30 1e 17 0d 30|32 30 33 32 31 31 34 34 0130 39 31 38 5a 17 0d 30 32|30 35 32 30 31 34 34 39 0140 31 38 5a 30 81 f7 31 0b|30 09 06 03 55 04 06 13 0150 02 55 53 31 11 30 0f 06|03 55 04 08 13 08 4d 69 0160 73 73 6f 75 72 69 31 11|30 0f 06 03 55 04 07 13 0170 08 43 6f 6c 75 6d 62 69|61 31 1f 30 1d 06 03 55 0180 04 0a 13 16 55 6e 69 76|65 72 73 69 74 79 20 6f 0190 66 20 4d 69 73 73 6f 75|72 69 31 33 30 31 06 03 01a0 55 04 0a 13 2a 49 6e 66|6f 72 6d 61 74 69 6f 6e 01b0 20 61 6e 64 20 41 63 63|65 73 73 20 54 65 63 68 01c0 6e 6f 6c 6f 67 79 20 53|65 72 76 69 63 65 73 31 01d0 24 30 22 06 03 55 04 0b|13 1b 45 6d 65 72 67 69 01e0 6e 67 20 54 65 63 68 6e|6f 6c 6f 67 69 65 73 20 01f0 47 72 6f 75 70 31 1e 30|1c 06 03 55 04 03 13 15 0200 7a 61 7a 75 2e 61 74 63|2e 6d 69 73 73 6f 75 72 0210 69 2e 65 64 75 31 26 30|24 06 09 2a 86 48 86 f7 0220 0d 01 09 01 16 17 63 63|74 68 61 64 40 61 74 63 0230 2e 6d 69 73 73 6f 75 72|69 2e 65 64 75 30 81 9f 0240 30 0d 06 09 2a 86 48 86|f7 0d 01 01 01 05 00 03 0250 81 8d 00 30 81 89 02 81|81 00 c7 05 87 de 49 e0 0260 95 98 db c8 d1 ba 47 bc|d3 4c 01 d9 6f a5 0d f2 0270 a6 78 f0 31 f0 a9 93 18|b8 20 d4 4e 53 bd d9 02 0280 b9 62 7c 51 c3 08 6e 0d|0a 44 1f 1c ce 72 87 5a 0290 72 8f fa ec 26 2d 53 2c|48 c0 04 e4 79 8d d7 73 02a0 7a f3 7a de 26 69 a8 ed|bc 92 fb 3e 11 90 cd ab 02b0 17 15 6e 7b 9b 42 a6 69|ca d5 43 84 50 a9 66 6b 02c0 5b dc 0e 9a c1 04 99 ff|2f b6 ba 2a b8 ff 2e f6 02d0 df c2 ab e4 68 77 43 03|8b f9 02 03 01 00 01 a3 02e0 82 01 5b 30 82 01 57 30|1d 06 03 55 1d 0e 04 16 02f0 04 14 4e f5 03 bf f3 cd|ba 99 20 27 6c c5 6e 20 0300 04 c1 ac 9b 05 25 30 82|01 26 06 03 55 1d 23 04 0310 82 01 1d 30 82 01 19 80|14 4e f5 03 bf f3 cd ba 0320 99 20 27 6c c5 6e 20 04|c1 ac 9b 05 25 a1 81 fd 0330 a4 81 fa 30 81 f7 31 0b|30 09 06 03 55 04 06 13 0340 02 55 53 31 11 30 0f 06|03 55 04 08 13 08 4d 69 0350 73 73 6f 75 72 69 31 11|30 0f 06 03 55 04 07 13 0360 08 43 6f 6c 75 6d 62 69|61 31 1f 30 1d 06 03 55 0370 04 0a 13 16 55 6e 69 76|65 72 73 69 74 79 20 6f 0380 66 20 4d 69 73 73 6f 75|72 69 31 33 30 31 06 03 0390 55 04 0a 13 2a 49 6e 66|6f 72 6d 61 74 69 6f 6e 03a0 20 61 6e 64 20 41 63 63|65 73 73 03ac - <SPACES/NULS> read from 100EB360 [100F91A1] (293 bytes => 293 (0x125)) 0000 54 65 63 68 6e 6f 6c 6f|67 79 20 53 65 72 76 69 0010 63 65 73 31 24 30 22 06|03 55 04 0b 13 1b 45 6d 0020 65 72 67 69 6e 67 20 54|65 63 68 6e 6f 6c 6f 67 0030 69 65 73 20 47 72 6f 75|70 31 1e 30 1c 06 03 55 0040 04 03 13 15 7a 61 7a 75|2e 61 74 63 2e 6d 69 73 0050 73 6f 75 72 69 2e 65 64|75 31 26 30 24 06 09 2a 0060 86 48 86 f7 0d 01 09 01|16 17 63 63 74 68 61 64 0070 40 61 74 63 2e 6d 69 73|73 6f 75 72 69 2e 65 64 0080 75 82 01 00 30 0c 06 03|55 1d 13 04 05 30 03 01 0090 01 ff 30 0d 06 09 2a 86|48 86 f7 0d 01 01 04 05 00a0 00 03 81 81 00 62 9e fc|ab 01 93 9a d5 0b 84 41 00b0 ff be ad 26 e7 26 2e f7|dd 1a de 71 da ec b5 89 00c0 f7 32 79 16 34 da ea 99|77 41 31 62 4a 1a 76 5d 00d0 7c e7 53 51 b4 08 33 3b|99 25 16 97 cd 05 e3 42 00e0 90 75 7f 90 2f b4 76 51|fe ba 5f 93 dc d0 24 49 00f0 79 1b 38 48 4a 78 f1 28|28 f1 dc e0 a7 32 2c 5d 0100 2e d4 48 52 56 a4 c2 42|8c 8b 56 0d a2 5d 35 a1 0110 2f ae 34 05 19 f5 5c df|71 fd ab 3a a3 c4 c1 13 0120 23 d7 4b 52 c7 Peer cert verify depth=0 /C=US/ST=Missouri/L=Columbia/O=University of Missouri/O=Information and Access Technology Services/OU=Emerging Technologies [EMAIL PROTECTED] verify error:num=18:self signed certificate verify return:1 Peer cert verify depth=0 /C=US/ST=Missouri/L=Columbia/O=University of Missouri/O=Information and Access Technology Services/OU=Emerging Technologies [EMAIL PROTECTED] verify return:1 SSL_connect:SSLv3 read server certificate A read from 100EB360 [100F8DF0] (5 bytes => 5 (0x5)) 0000 16 03 01 00 0d read from 100EB360 [100F8DF5] (13 bytes => 13 (0xD)) 0000 0d 00 00 05 02 01 02 00|00 0e 000d - <SPACES/NULS> SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:error in SSLv3 write client key exchange A -1 SSL_connect error -1 SSL session removed TLS negotiation failed! Asking for capabilities again since they might have changed C: C01 CAPABILITY 01S: * BAD Invalid tag ... at which point it just hangs. On the server side, here's what the logs say: May 9 16:08:29 7W:zazu service-imap[3793]: executed May 9 16:08:29 7W:zazu imapd[3793]: accepted connection May 9 16:08:29 7W:zazu imapd[3793]: starting TLS engine May 9 16:08:29 7W:zazu imapd[3793]: RAND_load_file() read reports 1024... May 9 16:08:29 7W:zazu imapd[3793]: RAND_status sez we have enough entropy May 9 16:08:29 5W:zazu imapd[3793]: TLS engine: cannot load CA data May 9 16:08:29 3W:zazu imapd[3793]: TLS engine: No CA file specified. Client side certs may not work May 9 16:08:29 7W:zazu imapd[3793]: setting up TLS connection May 9 16:08:29 7W:zazu imapd[3793]: About to do SSL_new() May 9 16:08:29 7W:zazu imapd[3793]: About to do SSL_clear() May 9 16:08:29 7W:zazu imapd[3793]: About to do SSL_set_accept_state() May 9 16:08:29 7W:zazu imapd[3793]: After SSL_set_accept_state() May 9 16:08:29 7W:zazu imapd[3793]: About to do SSL_accept() May 9 16:08:29 7W:zazu imapd[3793]: SSL_accept:before/accept initialization May 9 16:08:29 7W:zazu imapd[3793]: SSL_accept:SSLv3 read client hello A May 9 16:08:29 7W:zazu imapd[3793]: SSL_accept:SSLv3 write server hello A May 9 16:08:29 7W:zazu imapd[3793]: SSL_accept:SSLv3 write certificate A May 9 16:08:29 7W:zazu imapd[3793]: SSL_accept:SSLv3 write certificate request May 9 16:08:29 7W:zazu imapd[3793]: SSL_accept:SSLv3 flush data May 9 16:08:29 7W:zazu imapd[3793]: SSL3 alert write:fatal:unknown May 9 16:08:29 7W:zazu imapd[3793]: SSL_accept:error in SSLv3 read client certificate A May 9 16:08:29 7W:zazu imapd[3793]: SSL_accept:error in SSLv3 read client certificate A May 9 16:08:29 7W:zazu imapd[3793]: Error: SSL_ERROR_SSL May 9 16:08:29 7W:zazu imapd[3793]: About to do SSL_get_session() May 9 16:08:29 5W:zazu imapd[3793]: STARTTLS failed: zazu.atc.missouri.edu[128.206.94.254] Things that catch my eye are the lines complaining about no CA data, and then, obviously, the SSL3 alert write:fatal:unknown. I don't think they're inter-related, since a self-signed cert should be sufficient for testing. Is it possible that my certificate just isn't good? Running 'openssl verify' on it only returns complaints about it being self-signed. Heck, should I take this plea to the OpenSSL lists? (which, btw, I am using v0.9.6c) If any of you good folks have any thoughts on this, please let me know. This has become quite a frustration in my life recently. Thanks in advanced (and for good software), Thaddeus Parkinson
