I’ve *finally* discovered why my IMAP server no longer likes my self-signed certificates. The certificates are just fine. Cyrus is just fine. It’s OpenSSL that’s the problem - Bug 1513 to be exact.

The error messages, for anyone searching:

Jul 18 22:00:22 server imaps[71643]: TLS server engine: cannot load CA data
Jul 18 22:00:22 server imaps[71643]: unable to get certificate from ‘/usr/local/
etc/imap.crt’
Jul 18 22:00:22 server imaps[71643]: unable to get certificate from ‘/usr/local/
etc/imap.crt’
Jul 18 22:00:22 server imaps[71643]: TLS server engine: cannot load cert/key dat
a
Jul 18 22:00:22 server imaps[71643]: TLS server engine: cannot load cert/key dat
a
Jul 18 22:00:22 server imaps[71643]: error initializing TLS
Jul 18 22:00:22 server imaps[71643]: error initializing TLS
Jul 18 22:00:22 server imaps[71643]: Fatal error: tls_init() failed

Cyrus calls SSL_CTX_use_certificate_chain_file() to read in the certificate file, but in my case, since I don’t have CA data set, an earlier function returns an error, so the SSL_CTX_use_certificate_chain_file() function also returns an error, even though the certificate and key are just fine.

I wrote a small patch for FreeBSD 6.2, but the basic idea is go into imap/tls.c, search for SSL_CTX_use_certificate_chain_file() - it’s inside set_cert_stuff(). On the line immediately previous to the SSL_CTX_use_certificate_chain_file() call, add ERR_clear_error();

That’s it! You should now be able to use TLS.

Caveat: Use this patch at your own risk, I am not responsible for anything that happens to your system if you use it and it doesn’t work for you. I know this is not the best solution in the world, but it’s a decent workaround until the OpenSSL guys can get their act together.

This entry was posted on Wednesday, July 18th, 2007 at 6:06 pm and is filed under Technology. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Possibly Related