On Fri, 10 Jan 2003, Jonathan Marsden wrote: > On 10 Jan 2003, Steve Huston writes: > > Now, our current Cyrus server has a self-signed cert which Pine > > doesn't like unless you add /novalidate-cert to the hostname of the > > server. But this time, that doesn't even help as it just says > > "There was an SSL/TLS failure for the server" "The reason for the > > failure was: SSL Negotiation failed" Cyrus also reports the same > > thing in the logs. I understand the point of '/novalidate-cert', > > meaning don't try to check the signing authority on the cert, and I > > could overlook things if that was the only error. > > Longer term, you might want to create your own CA and sign the server > hot cert with that CA. Then provide your public CA cert to Pine and, > theoretically, you won't need "/novalidate-cert"
On Fri, 10 Jan 2003, Ken Murchison wrote: > I just tested Pine 4.44 against my Cyrus 2.1.11 using a self-signed cert > (/novalidate-cert) and it works fine. Below is the output from ssldump > (http://www.rtfm.com/ssldump/) for reference. I'd use ssldump to see > where in the negotiation it fails. Finally got it! I followed the exact instructions in the manual for creating a key, and for some reason that worked. Then I realized one other thing I changed in the /etc/imapd.conf file when I used that other key, that being "tls_ca_file:" It seems that the program doesn't like the CA file that comes with RedHat 8.0, and if I specify that file it chokes and dies *only* on TLS connections, SSL works fine. Now that I know the problem, I can figure out a workaround. Thanks Jonathan and Ken for pointing me in the right direction (and thanks to Dr. Pepper for providing caffeinated support). -- Steve Huston - Unix Systems Administrator, Dept. of Astrophysical Sciences Princeton University | ICBM Address: 40.346525 -74.651285 126 Peyton Hall |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (609) 258-7375 | headlong into mystery." -Rush, 'Cygnus X-1'
