Dear friends, I'm not sure, wether this problem is allready known and solved, and not even sure, wether this list is the right one to post it into. Sorry if I'm off topic.
Trying to set up pop3d-ssl with self-signed certificates I encountered permanent SSL-connection failures. Testing with openssl s_client gave: k1:~ # openssl s_client -connect mail.vegaa.de:995 -state CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A write:errno=104 Debugging showed the problem as follows: I had added my own self-signed CA-certificate to the directory of trusted CAs ( /var/share/ssl/certs ) with an appropriate hash-link to it. And as I did not give a separate TLS_TRUSTCERTS, couriertls used the standard default directory (namely /var/share/ssl/certs ) to verify the client certificates. But reading the CAs in courier-starttls stopped before my CA. The readdir() loop bailed out when it encountered the subdirectory 'expired', which is part of the standard openssl installation. Although the client was not giving any certificate of it's own, the result was that my server-certificate was not accepted. Or - under other circumstances - the server certificate is not accepted, if signed by certain CAs (for example if a new CA-certificate is added after the initial openssl-installation). Temporary Solution: Delete any subdirectory from /var/share/ssl/certs and put the expired certs somewhere else. Or use either a separate Directory for TLS_TRUSTCERTS or a file with explicit cert-names. Or apply the temporary patch - although expired certs are not yet handled at all IMO. The patch will just skip any directory entries, which are not Link-Files. HTH Michael -- Michael Zimmermann (http://vegaa.de)
--- courier-imap-1.6.1/tcpd/libcouriertls.c Mon Oct 21 13:27:35 2002 +++ courier-imap-1.6.1-zim/tcpd/libcouriertls.c Thu Nov 21 20:07:48 2002 @@ -492,6 +492,9 @@ char *q; FILE *fp; + if (de->d_type != DT_LNK) + continue; + p=strrchr(de->d_name, '.'); if (!p[0] || !p[1]) continue;
