Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1938
Views
0
Helpful
6
Replies

TLS not working

sdavids5670
Level 2
Level 2

‎10-01-2010 01:58 PM - edited ‎03-19-2019 01:41 AM

IMAP communication between a mail server and our Unity Connection 7.x server has stopped working.  The end user stated:

"The problem we observed from our server, and which is reproducible with the openssl tool, is that the Unity Connection server doesn't respond to a login request performed over STARTTLS. Doing a simple IMAP STARTTLS test results in a hung login attempt and eventual timeout:

client: # openssl s_client -connect unityservername.domain.com:143 -starttls imap
server: <valid response>
client: 0 LOGIN username password
<no response, timeout"

On the Unity Connection server I turned on micro traces for IMAP.  In one of the resultant log files, I see this:

"09/30/2010 08:27:48.687 |3490,ClientSocket-42 10.0.24.181:-28448,,CuImapSvr,11,SSL_accept:error in SSLv3 read client certificate A: [0xFFFFFFFF; --Unknown HRESULT--]|"

The timestamp on this message corresponded with a failed test attempt.  I've tried restarting the IMAP server service.  No changes were made on the Unity Connection side between the time that this was working and the time is stopped working.


Any ideas?

Thanks.

Labels:
0 Helpful
6 Replies 6

htluo
Level 9
Level 9

‎10-04-2010 02:38 PM

I don't think 143 was the right port number for TLS.  For Unity Connection, it should be 7993.

Michael

http://htluo.blogspot.com

0 Helpful

sdavids5670
Level 2
Level 2
In response to htluo

‎10-05-2010 01:42 PM

Thanks for the response.  I don't think it's a port number issue.  It was working in the past for them on 143.

The log clearly shows that a socket is being created for the connection attempt.  There's something else amiss.

0 Helpful

htluo
Level 9
Level 9
In response to sdavids5670

‎10-06-2010 09:46 AM

I would be surprised if TLS worked on port 143 in the past.

It's like saying "yes, HTTPS worked on port 80 in the past".  Technically, that's possible, but very unlikely.  Unless someone hacked the UC box and turned on TLS on port 143.

Michael

http://htluo.blogspot.com

0 Helpful

sdavids5670
Level 2
Level 2
In response to htluo

‎10-06-2010 10:39 AM

OK, let me back pedal a bit.  I probably didn't do a great job of framing the scenario properly.  The initial connection to the Unity Connection server is an IMAP connection (from a Zimbra server) on port 143.  The Unity Connection server offers TLS for the connection.  The client (Zimbra server) attempts TLS and the TLS handshake fails.  In the past, TLS didn't fail.  Now, TLS fails.  There's a setting in the e-mail client that allows them to use SSL instead and if they use that, everything works fine.  For some reason, they would prefer to use the IMAP connection with TLS.  I don't know why but that's what they want to do.

This is the last thing that shows up in the IMAP log on Unity Connection for a failed connection attempt:

10/04/2010 09:29:26.035 |26497,ClientSocket-39 10.0.24.181:-17988,,CuImapSvr,11,BIO_read(m_SSL_bio) returned zero.  SSL server startup failed.: [0x00000000; S_OK]|
10/04/2010 09:29:26.035 |26497,ClientSocket-39 10.0.24.181:-17988,,CuImapSvr,10,Session Run failed for client ClientSocket-39 10.0.24.181:-17988 : [0x80046B03; Uis_E_SSL_HANDSHAKE; SSL handshake error during IMAP session.]|

0 Helpful

htluo
Level 9
Level 9
In response to sdavids5670

‎10-06-2010 11:38 AM

Did you say IMAP over SSL (port 143) worked fine but IMAP over TLS (port 143) didn't work?

Again, port 143 is dedicated for IMAP over TCP (plain text).  I don't believe they can make IMAP over SSL worked over port 143.

Michael

http://htluo.blogspot.com

0 Helpful

sdavids5670
Level 2
Level 2
In response to htluo

‎10-06-2010 11:47 AM

Here's what the tech on the client-side observed:

"The problem we observed from Zimbra ZCS, and which is reproducible with the openssl tool, is that the Unity server does not respond to a login request performed over STARTTLS. Doing a simple IMAP STARTTLS test results in a hung login attempt and eventual timeout:

client: # openssl s_client -connect unityservername.domain.com:143 -starttls imap
server:
client: 0 LOGIN username password
"

So the way I interpret this (and I could be totally wrong) is that the client makes a IMAP connection over port 143 and either requests TLS or tries TLS if it is offered.  At that point, the login fails. 

The user tried a test and responded with this:

"Just did one a couple minutes ago- did SSL on 993 first w/success, then did the unencrypted one on 143 which threw the 'Generic Test Failure'"

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents