> From: owner-openssl-us...@openssl.org On Behalf Of Marc Chamberlin > Sent: Tuesday, March 18, 2014 02:34
> Hi - I am trying to test the TLS/SSL connection for my Apache James > 2.3.2 email server. When using Thunderbird as a client and connecting > via TLS/SSL protocol I don't have any problems sending/receiving email. > I am pretty sure that I have set up my private (self-signed) certificate > on the server OK as this has been working for a long time. I wanted to > use TLS/SSL for access to the RemoteManager of the Apache James server > and discovered that I cannot use openssl? This is what I am seeing when > I try connecting on any of the ports for the POP3, SMTP or the > RemoteManager handlers of the Apache James server- > > > openssl s_client -quiet -connect mydomain.com:portnum > depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate > Signing, CN = StartCom Certification Authority > verify error:num=19:self signed certificate in certificate chain > verify return:0 That is not a self-signed cert, that is a cert signed by something that at least claims to be StartSSL (if it's a StartSSL that you impersonated, that's very confusing and a bad idea). Do you know Thunderbird is seeing a selfsigned cert? Does it even say, or check, what it sees? But that's not your immediate problem, because s_client ignores errors on the server cert except for printing them. > 140032197080744:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert > internal error:s3_pkt.c:1256:SSL alert number 80 > 140032197080744:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:177: > > Internal Error??? This does NOT look very healthy and implies something > is very sick... Anyone got any ideas on how to fix this? > Specifically "alert number 80" means the server is saying *it* has an internal error. Unfortunately the SSL alert cannot carry any details. Are there any logs on the server that have any entries at this time, or looking related to this problem? If not, you'll either have to try things at random until you get lucky, which could be a very long time, or find a spec of exactly what your server wants/needs on this interface and then get s_client to do that. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
