Am 09.10.2013 22:09, schrieb Eliezer Croitoru: > On 10/09/2013 10:55 PM, Reindl Harald wrote: >> >> >> Am 09.10.2013 21:45, schrieb Eliezer Croitoru: >>> On 10/09/2013 10:31 PM, Reindl Harald wrote: >>>> >>>> >>>> Am 09.10.2013 21:27, schrieb Eliezer Croitoru: >>>>> On 09/13/2013 02:59 PM, Dan Langille wrote: >>>>>> >>>>>> *** /var/log/maillog *** >>>>>> Sep 13 11:50:46 imaps dovecot: imap-login: Warning: SSL failed: >>>>>> where=0x2002: SSLv3 read client certificate A [166.137.84.11] >>>>>> Sep 13 11:50:46 imaps dovecot: imap-login: Disconnected (no auth >>>>>> attempts in 1 secs): user=<>, rip=166.137.84.11, lip=199.233.228.197, >>>>>> TLS handshaking: Disconnected, session=<a7AJd0LmWwCmiVQL> >>>>> How about tring to use a username to identify the user?? >>>>> it is very clear that there is nothing that the client tries to do... >>>> >>>> it is much more clear that there is no username if the client >>>> refuses the SSL handshake because it does not like the cert >>>> or the offered ssl-ciphers >>>> >>>> user=<> is pretty normal in a lot of cases >>>> >>>> * ssl cert not accepted and not allowed by the user in case of untrusted >>>> * no cipher the client accpets >>>> * no auth-mech the client accepts offered by the server >>>> >>>> so how do *you* imagine to see a username in the log? >>>> >>> I expect that StarSSL will put a good configuration examples for Apache >>> Postfix Dovecot Exim nginx and more.. >> >> not their job and not part of the problem >> >> * your client accepts a certificate >> * your client does not accept your certificate >> >> in case it does not *you* as enduser have to accept/import the servers cert >> >> http://stackoverflow.com/questions/10879370/startssl-class-1-certificate-not-accepted-by-browser-weblogic-10-0-1 >> http://www.startssl.com/?app=25#31 >> >> if someone does not know what a "intermediate CA" he needs to RTFM or *read* >> messages of his client or buy by all major clients acepted certificates >> >> but that all has less to do with your blunty "it is very clear that there is >> nothing that >> the client tries to do" showing that you have zero expierience how a client >> handshake >> works -> it does not send usernames or even passwords until it is not >> satisfied >> with the negotiation of auth-mechs and ssl-handshake >> > I Would try to use StartSSL with squid and I will see if the docs in squid > ssl-bump explains the subject in a way I > can understand
RTFM http://www.startssl.com/?app=25 or go to http://www.thawte.com/ > As Dan explained his major problem is with specific encryption cypher in a > very specific size.. > I would imaging that 4k bits certificate handshake and validation can take > more then 1 sec.. > Am I right about it? why in the world should it take more than 1 second? and even if - how does this matter?
signature.asc
Description: OpenPGP digital signature
