imps=cyrus-imap-3.0.13_1
freebsd=FreeBSD-12.1p4
Following a pkg upgrade on our webmail server (iocage jail at 12.1p4) this message started to appear in the maillog of our imap server (also an iocage jail ar 12.1p4).
I can connect to the imap service from the webmail host using openssl:
The apache24 service is using the same key and certificate:
Nothing has changed with respect to the configuration of either Apache or Squirrelmail. The imap jail was updated earlier today but webmail was connecting up to the point the webmail jail pkgs were upgraded.
Has anyone any idea what the error is actually telling me? is this a problem with handshake, ciphers, certificates? I have looked at them all and none seem to be incorrect. Also, I am confused that I can connect from the command line but webmail cannot. Any help would be appreciated.
This was caused by an update to
freebsd=FreeBSD-12.1p4
Following a pkg upgrade on our webmail server (iocage jail at 12.1p4) this message started to appear in the maillog of our imap server (also an iocage jail ar 12.1p4).
Code:
imap CYRUS/imaps[57267]: imaps TLS negotiation failed: webmail.hamilton.harte-lyne.ca [216.185.71.106]I can connect to the imap service from the webmail host using openssl:
Code:
openssl s_client -starttls imap -tls1_2 -connect 192.168.216.57:143 -CAfile /usr/local/etc/pki/tls/certs/ca-bundle.crt -cert /usr/local/etc/pki/tls/certs/ca.harte-lyne.hamilton.squirrelmail.crt -key /usr/local/etc/pki/tls/private/ca.harte-lyne.hamilton.squirrelmail.key
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
verify return:1
depth=1 CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
verify return:1
. . .
Start Time: 1587676195
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
. OK Completed
A1 LOGOUT
* BYE LOGOUT received
A1 OK Completed
read:errno=0The apache24 service is using the same key and certificate:
Code:
grep '/usr/local/etc/pki/tls' /usr/local/etc/apache24/virtual.d/*conf
ca.harte-lyne.webmail.conf: /usr/local/etc/pki/tls/certs/ca.harte-lyne.hamilton.squirrelmail.crt
ca.harte-lyne.webmail.conf: /usr/local/etc/pki/tls/private/ca.harte-lyne.hamilton.squirrelmail.key
ca.harte-lyne.webmail.conf: /usr/local/etc/pki/tls/certs/ca-bundle.crtNothing has changed with respect to the configuration of either Apache or Squirrelmail. The imap jail was updated earlier today but webmail was connecting up to the point the webmail jail pkgs were upgraded.
Has anyone any idea what the error is actually telling me? is this a problem with handshake, ciphers, certificates? I have looked at them all and none seem to be incorrect. Also, I am confused that I can connect from the command line but webmail cannot. Any help would be appreciated.
This was caused by an update to
ca_root_nss which removed all references to our private PKI CAs. Merging the public certificates of our CAs resolved the issue. This step is required after all updates to ca_root_nss and is part of our standard procedures. It was overlooked in this case.