Hi Joachim,
On Tue, Jul 27, 2010 at 10:56:36AM +0200, Joachim Sehlstedt wrote:
Hi,
I would like to point out that we don't have the TB 3.1 (testing with
3.1.1) problem here while testing against version 1.19-rc2 (provided
patch applied or not doesn't matter for us). Here is the SSL part of the
config we use for Perdition, same config as for our live 1.18 servers
that do have the problem:
ssl_mode ssl_listen (Actually we use ssl_listen,tls_listen on our 1.18
servers, but got a ssl_mode error in 1.19 when trying that so guess that
is not a valid mode after all)
ssl_no_cn_verify
ssl_ca_file /etc/perdition/cacert.crt
ssl_cert_file /etc/perdition/mail.crt
ssl_key_file /etc/perdition/mail.key
Don't know if using ssl_no_cn_verify gives the same fix as you listed
for ssl_no_client_cert_verify and ssl_no_cert_verify, so that might be
the case why it's working here on 1.19-rc2 for us.
Are you sure that you can connect a second time from
the same thunderbird session? I don't have a ca_file handy
to test with, but with the rest of the optoins set I see the problem.
I would like to hijack this thread a bit and add/ask
the following:
It would make my inbox management a lot saner if you started a new thread.
I've changed the subject accordingly.
If we use tls_listen for our ssl_mode clients can no
longer connect and
Perdition throws this error:
Jul 27 10:25:59 mail perdition[28962]: Fatal Error reading
authentication information from client X:58785->Y:994: Exiting child
Shouldn't this work just as with ssl_listen?
No.
Due to a lack of understanding on my part when I added SSL support to
perdition, SSL and TLS do not have their normal meanings
in relation to the parameters to ssl_mode :-(
In a nutshell
* ssl_* means use SSL/TLS (i.e. port 993, 995, ...)
That is, the starts an SSL/TLS negotiation on connect
* tls_* means use STARTTLS, STLS...
That is, the user can upgrade a session from plantext tos
encrypted (using SSL/TLS) after connecting.
Also I would like to point out this warning we have
during build:
ssl.c: In function ‘perdition_ssl_ctx’:
ssl.c:522: warning: assignment discards qualifiers from pointer target type
Is that this line?
ssl_method = SSLv23_method();
I'm not seeing the warniing here.
Which version of gcc and libssl do you have?
Alternatively, do you know what the problem is?
Lastly, taking a stab in the dark, does this help?
Index: perdition/perdition/ssl.c
===================================================================
--- perdition.orig/perdition/ssl.c 2010-07-27 18:35:15.000000000 +0900
+++ perdition/perdition/ssl.c 2010-07-27 18:35:44.000000000 +0900
@@ -492,7 +492,6 @@ SSL_CTX *perdition_ssl_ctx(const char *c
const char *cert, const char *privkey,
const char *ca_chain_file, const char *ciphers, flag_t flag)
{
- SSL_METHOD *ssl_method;
SSL_CTX *ssl_ctx, *out = NULL;
const char *use_ca_file = NULL;
const char *use_ca_path = NULL;
@@ -519,10 +518,9 @@ SSL_CTX *perdition_ssl_ctx(const char *c
* Initialise an SSL context
*/
SSLeay_add_ssl_algorithms();
- ssl_method = SSLv23_method();
SSL_load_error_strings();
- ssl_ctx = SSL_CTX_new(ssl_method);
+ ssl_ctx = SSL_CTX_new(SSLv23_method());
if (!ssl_ctx) {
PERDITION_DEBUG_SSL_ERR("SSL_CTX_new");
return NULL;