On 10/09/2013 10:55 PM, Reindl Harald wrote:
Am 09.10.2013 21:45, schrieb Eliezer Croitoru:
On 10/09/2013 10:31 PM, Reindl Harald wrote:
Am 09.10.2013 21:27, schrieb Eliezer Croitoru:
On 09/13/2013 02:59 PM, Dan Langille wrote:
*** /var/log/maillog *** Sep 13 11:50:46 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [166.137.84.11] Sep 13 11:50:46 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=166.137.84.11, lip=199.233.228.197, TLS handshaking: Disconnected, session=<a7AJd0LmWwCmiVQL>
How about tring to use a username to identify the user?? it is very clear that there is nothing that the client tries to do...
it is much more clear that there is no username if the client refuses the SSL handshake because it does not like the cert or the offered ssl-ciphers
user=<> is pretty normal in a lot of cases
- ssl cert not accepted and not allowed by the user in case of untrusted
- no cipher the client accpets
- no auth-mech the client accepts offered by the server
so how do *you* imagine to see a username in the log?
I expect that StarSSL will put a good configuration examples for Apache Postfix Dovecot Exim nginx and more..
not their job and not part of the problem
- your client accepts a certificate
- your client does not accept your certificate
in case it does not *you* as enduser have to accept/import the servers cert
http://stackoverflow.com/questions/10879370/startssl-class-1-certificate-not... http://www.startssl.com/?app=25#31
if someone does not know what a "intermediate CA" he needs to RTFM or *read* messages of his client or buy by all major clients acepted certificates
but that all has less to do with your blunty "it is very clear that there is nothing that the client tries to do" showing that you have zero expierience how a client handshake works -> it does not send usernames or even passwords until it is not satisfied with the negotiation of auth-mechs and ssl-handshake
I Would try to use StartSSL with squid and I will see if the docs in squid ssl-bump explains the subject in a way I can understand. As Dan explained his major problem is with specific encryption cypher in a very specific size.. I would imaging that 4k bits certificate handshake and validation can take more then 1 sec.. Am I right about it?
Thanks, Eliezer