On 10 Jan 2003, Steve Huston writes: > Now, our current Cyrus server has a self-signed cert which Pine > doesn't like unless you add /novalidate-cert to the hostname of the > server. But this time, that doesn't even help as it just says > "There was an SSL/TLS failure for the server" "The reason for the > failure was: SSL Negotiation failed" Cyrus also reports the same > thing in the logs. I understand the point of '/novalidate-cert', > meaning don't try to check the signing authority on the cert, and I > could overlook things if that was the only error.
Use openssl s_client -connect server.your.domain:993 to see openssl negotiate with your server. The info you see (any warnings, etc.) may give you clues about what specifically Pine is complaining about. Alternatively, use openssl x509 -text <path/to/my/sslcert.pem for both the server that Pine is happy with, and the one it is unhappy with, and compare the output by hand... what attributes are different or missing in your new self-signed cert? Longer term, you might want to create your own CA and sign the server hot cert with that CA. Then provide your public CA cert to Pine and, theoretically, you won't need "/novalidate-cert" If you have it around, connecting with mutt rather than Pine might also be a useful test? Jonathan -- Jonathan Marsden | Internet: [EMAIL PROTECTED] | Making electronic 1252 Judson Street | Phone: +1 (909) 795-3877 | communications work Redlands, CA 92374 | Fax: +1 (909) 795-0327 | reliably for Christian USA | http://www.xc.org/jonathan | missions worldwide