Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

TLS not working

IMAP communication between a mail server and our Unity Connection 7.x server has stopped working.  The end user stated:

"The problem we observed from our server, and which is reproducible with the openssl tool, is that the Unity Connection server doesn't respond to a login request performed over STARTTLS. Doing a simple IMAP STARTTLS test results in a hung login attempt and eventual timeout:

client: # openssl s_client -connect unityservername.domain.com:143 -starttls imap
server: <valid response>
client: 0 LOGIN username password
<no response, timeout
"

On the Unity Connection server I turned on micro traces for IMAP.  In one of the resultant log files, I see this:

"09/30/2010 08:27:48.687 |3490,ClientSocket-42 10.0.24.181:-28448,,CuImapSvr,11,SSL_accept:error in SSLv3 read client certificate A: [0xFFFFFFFF; --Unknown HRESULT--]|"

The timestamp on this message corresponded with a failed test attempt.  I've tried restarting the IMAP server service.  No changes were made on the Unity Connection side between the time that this was working and the time is stopped working.


Any ideas?

Thanks.

Everyone's tags (3)
6 REPLIES
Red

Re: TLS not working

I don't think 143 was the right port number for TLS.  For Unity Connection, it should be 7993.

Michael

http://htluo.blogspot.com

New Member

Re: TLS not working

Thanks for the response.  I don't think it's a port number issue.  It was working in the past for them on 143.

The log clearly shows that a socket is being created for the connection attempt.  There's something else amiss.

Red

Re: TLS not working

I would be surprised if TLS worked on port 143 in the past.

It's like saying "yes, HTTPS worked on port 80 in the past".  Technically, that's possible, but very unlikely.  Unless someone hacked the UC box and turned on TLS on port 143.

Michael

http://htluo.blogspot.com

New Member

Re: TLS not working

OK, let me back pedal a bit.  I probably didn't do a great job of framing the scenario properly.  The initial connection to the Unity Connection server is an IMAP connection (from a Zimbra server) on port 143.  The Unity Connection server offers TLS for the connection.  The client (Zimbra server) attempts TLS and the TLS handshake fails.  In the past, TLS didn't fail.  Now, TLS fails.  There's a setting in the e-mail client that allows them to use SSL instead and if they use that, everything works fine.  For some reason, they would prefer to use the IMAP connection with TLS.  I don't know why but that's what they want to do.

This is the last thing that shows up in the IMAP log on Unity Connection for a failed connection attempt:

10/04/2010 09:29:26.035 |26497,ClientSocket-39 10.0.24.181:-17988,,CuImapSvr,11,BIO_read(m_SSL_bio) returned zero.  SSL server startup failed.: [0x00000000; S_OK]|
10/04/2010 09:29:26.035 |26497,ClientSocket-39 10.0.24.181:-17988,,CuImapSvr,10,Session Run failed for client ClientSocket-39 10.0.24.181:-17988 : [0x80046B03; Uis_E_SSL_HANDSHAKE; SSL handshake error during IMAP session.]|

Red

Re: TLS not working

Did you say IMAP over SSL (port 143) worked fine but IMAP over TLS (port 143) didn't work?

Again, port 143 is dedicated for IMAP over TCP (plain text).  I don't believe they can make IMAP over SSL worked over port 143.

Michael

http://htluo.blogspot.com

New Member

Re: TLS not working

Here's what the tech on the client-side observed:

"The problem we observed from Zimbra ZCS, and which is reproducible with the openssl tool, is that the Unity server does not respond to a login request performed over STARTTLS. Doing a simple IMAP STARTTLS test results in a hung login attempt and eventual timeout:

client: # openssl s_client -connect unityservername.domain.com:143 -starttls imap
server:
client: 0 LOGIN username password
"

So the way I interpret this (and I could be totally wrong) is that the client makes a IMAP connection over port 143 and either requests TLS or tries TLS if it is offered.  At that point, the login fails. 

The user tried a test and responded with this:

"Just did one a couple minutes ago- did SSL on 993 first w/success, then did the unencrypted one on 143 which threw the 'Generic Test Failure'"

1107
Views
0
Helpful
6
Replies
CreatePlease to create content