Bug 20931 – imap-2000 ssl does not log failure to find certificate

Bug 20931 - imap-2000 ssl does not log failure to find certificate

Summary:	imap-2000 ssl does not log failure to find certificate

Status:	CLOSED WONTFIX

Aliases:	None

Product:	Red Hat Linux
Classification:	Retired
Component:	imap (Show other bugs)
Sub Component:
Version:	7.0
Hardware:	i386 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Mike A. Harris
QA Contact:	Dale Lovelace
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2000-11-15 17:42 EST by j. alan eldridge
Modified:	2007-04-18 12:29 EDT (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2001-03-19 16:38:56 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description j. alan eldridge 2000-11-15 17:42:34 EST

if a server was running imap-4.x for imaps, then the certificate file it 
used was $path_to_certificates/stunnel.pem, since stunnel handled ssl.
in imap-2000, imapd handles ssl, and the certificate name has changed to 
$path_to_certificates/imapd.pem. however, imapd-2000 does not log an error 
condition when this file does not exist.

net effect: upgrade to imap-2000 silently breaks imaps service, and there 
are no clues in the /var/log/* to indicate what happened.

i did 'strace -f -p pid-of-xinetd' and watched the imapd process come up 
and fail; i believe this to be the only way to diagnose the failure.

for added annoyance points: the certificate path/name looked for by imapd 
is not documented.

Comment 1 Nalin Dahyabhai 2000-11-20 16:59:03 EST

The breakage happens because the SSL functionality in the web server allows it
to serve IMAP-over-SSL without use of stunnel.  The certificate needed is
/usr/share/ssl/certs/imapd.pem.  

I'll add a note to the package to that effect, though I'm puzzled that the
configuration file for the older imaps setup (which used stunnel) would have
been replaced if it was ever modified with chkconfig or ntsysv.

Comment 2 Arenas Belon, Carlo Marcelo 2000-12-19 12:17:49 EST

this wouldn't make it easier for anyone to fix the problem as the RPM is still
broken.

adding (on %files):

%ghost %config(noreplace,missingok) %{_datadir}/ssl/certs/imapd.pem
%ghost %config(noreplace,missingok) %{_datadir}/ssl/certs/ipop3d.pem

would make it easier for anyone to know which is the correct name for the
certificate that would be needed for each service.

a %post script *could* be designed to run on updates and link the current
stunnel.pem if there is any and if /etc/xined.d/{imaps,pop3s} is using stunnel,
but taking that stunnel.pem is not automatically installed and trustable on
default i think it should be better left on the admin hands.

Comment 3 Mike A. Harris 2001-06-20 08:47:04 EDT

A great number of imap issues are fixed in the pending errata release
of 2000c.  Including upgrades.  Please upgrade to it when it is released.

Realistically, imapd logging changes will have to be done upstream, so I
ask that you request this feature to the developers of UW imap at:
pine@cac.washington.edu.

Note You need to log in before you can comment on or make changes to this bug.