confusion about setting up certificates
Craig White
craigwhite at azapple.com
Thu Mar 17 16:42:40 EST 2005
On Thu, 2005-03-17 at 14:36 -0600, Jim Miller wrote:
> Hi everyone,
>
> My apologies if this rambles on abit but I'm very frustrated and can't seem
> to figure out what I'm missing. I've setup cyrus-imap 2.2.10 to use openssl
> certificates, users can connect and get mail just fine until I set
> tls_require_certs: true -- When I do this Outlook users can no longer
> connect but Thunderbird users can.
>
> I would greatly appreciate any suggestions.
>
> Here's the process I followed to setup my certificates -- I didn't
> do -nodes:
> openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 1825
> openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM \
> -out tempreq.pem -outform PEM
> openssl rsa < tempkey.pem > cyrus_key.pem
> openssl ca -in tempreq.pem -out cyrus_crt.pem
>
> cat cyrus_key.pem cyrus_crt.pem cacert.pem > /var/lib/cyrus/cyrus.pem
>
> Set this in imapd.conf
> tls_ca_file: /var/lib/cyrus/cyrus.pem
> tls_cert_file: /var/lib/cyrus/cyrus.pem
> tls_key_file: /var/lib/cyrus/cyrus.pem
>
>
> I then distribute the cacert.pem as mailserver.crt and users import it into
> IE/Thunderbird w/out problem.
>
> Next I created a .p12 file from the cyrus_crt.pem for import into
> IE/Thunderbird again w/out problems. Here's the process that I use to
> generate it.
> openssl pkcs12 -export -in cyrus_crt.pem -inkey cyrus_key.pem \
> -name "result of - openssl x509 -noout -in cyrus_crt.pem -subject | sed -e
> 's;.*CN=;;' =-e 's;/Em.*;;'" \
> -cname "result of - openssl x509 -noout -n cacert.pem -subject | sed -e
> 's;.*CN=;;' -e 's;Em.*;;'" \
> -out mailserver.p12
>
> Here's the output from SSLDUMP for Outlook
> New TCP connection #4:
> 4 1 0.0006 (0.0006) C>S SSLv2 compatible client hello
> Version 3.1
> cipher suites
> TLS_RSA_WITH_RC4_128_MD5
> TLS_RSA_WITH_RC4_128_SHA
> TLS_RSA_WITH_3DES_EDE_CBC_SHA
> SSL2_CK_RC4
> SSL2_CK_3DES
> SSL2_CK_RC2
> TLS_RSA_WITH_DES_CBC_SHA
> SSL2_CK_DES
> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> TLS_RSA_EXPORT_WITH_RC4_40_MD5
> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
> SSL2_CK_RC4_EXPORT40
> SSL2_CK_RC2_EXPORT40
> 4 2 0.3764 (0.3757) S>C Handshake
> ServerHello
> Version 3.1
> session_id[32]=
> xx 44 xx b4 xx 11 xx ee xx 7b xx a2 xx f7 xx f3
> 5c xx da xx a3 xx 21 xx 6a xx 25 xx 62 xx 9a xx
> cipherSuite TLS_RSA_WITH_RC4_128_MD5
> compressionMethod NULL
> 4 3 0.3765 (0.0000) S>C Handshake
> Certificate
> 4 4 0.3765 (0.0000) S>C Handshake
> CertificateRequest
> certificate_types rsa_sign
> certificate_types dss_sign
> certificate_authority
> LINES removed
> 53 69 6d 75 xx 72 6f 6e 69 63 xx 20 43 6f 72 70
> 63 73 2e 63 6f 6d ServerHelloDone
> 4 5 0.3794 (0.0029) C>S Handshake
> Certificate
> ClientKeyExchange
> 4 6 0.3794 (0.0000) C>S ChangeCipherSpec
> 4 7 0.3794 (0.0000) C>S Handshake
> 4 8 0.3798 (0.0004) S>C Alert
> level fatal
> value handshake_failure
> 4 0.3802 (0.0004) C>S TCP FIN
>
>
>
> Here's the output for Thunderbird w/SSLDUMP:
> New TCP connection #1:
> 1 1 0.0008 (0.0008) C>S SSLv2 compatible client hello
> Version 3.1
> cipher suites
> SSL2_CK_RC4
> SSL2_CK_RC2
> SSL2_CK_3DES
> SSL2_CK_DES
> SSL2_CK_RC4_EXPORT40
> SSL2_CK_RC2_EXPORT40
> Unknown value 0x39
> Unknown value 0x38
> Unknown value 0x35
> Unknown value 0x33
> Unknown value 0x32
> TLS_RSA_WITH_RC4_128_MD5
> TLS_RSA_WITH_RC4_128_SHA
> Unknown value 0x2f
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> Unknown value 0xfeff
> TLS_RSA_WITH_3DES_EDE_CBC_SHA
> TLS_DHE_RSA_WITH_DES_CBC_SHA
> TLS_DHE_DSS_WITH_DES_CBC_SHA
> Unknown value 0xfefe
> TLS_RSA_WITH_DES_CBC_SHA
> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> TLS_RSA_EXPORT_WITH_RC4_40_MD5
> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
> 1 2 0.0053 (0.0045) S>C Handshake
> ServerHello
> Version 3.1
> session_id[32]=
> xx 74 xx 33 xx cc xx 49 xx 3e xx c0 bd xx 0b xx
> a8 xx 5f xx 7d xx b1 xx 79 be 3b xx 2a 69 f0 9d
> cipherSuite TLS_RSA_WITH_RC4_128_MD5
> compressionMethod NULL
> 1 3 0.0054 (0.0000) S>C Handshake
> Certificate
> 1 4 0.0054 (0.0000) S>C Handshake
> CertificateRequest
> certificate_types rsa_sign
> certificate_types dss_sign
> certificate_authority
> LINES removed
> 53 69 6d 75 xx 72 6f 6e 69 63 xx 20 43 6f 72 70
> 63 73 2e 63 6f 6d
> ServerHelloDone
> 1 5 0.1347 (0.1293) C>S Handshake
> Certificate
> ClientKeyExchange
> CertificateVerify
> Signature[256]=
> LINES removed
> 53 69 6d 75 xx 72 6f 6e 69 63 xx 20 43 6f 72 70
> 63 73 2e 63 6f 6d 1 6 0.1347 (0.0000) C>S ChangeCipherSpec
> 1 7 0.1347 (0.0000) C>S Handshake
> 1 8 0.1563 (0.0215) S>C ChangeCipherSpec
> 1 9 0.1563 (0.0000) S>C Handshake
> 1 10 0.3315 (0.1752) S>C application_data
> 1 11 0.4106 (0.0790) C>S application_data
> 1 12 0.4108 (0.0002) S>C application_data
-----
not arguing with anything that you've done but this is how I've gone
about it...
openssl genrsa -des3 -out ca.key 2048
openssl req -config /usr/share/ssl/openssl.cnf -new -x509 \
-days 3650 -key ca.key -out ca.cert
openssl req -config /usr/share/ssl/openssl.cnf -new -x509 -nodes \
-out /etc/ssl/cyrus-global.pem -keyout /etc/ssl/cyrus-global.pem \
-days 3650
openssl gendh 512 >> /etc/ssl/cyrus-global.pem
openssl x509 -in /etc/ssl/cyrus-global.pem -out /etc/ssl/cacert.crt
Then I copy cacert.crt to a web server and let users 'INSTALL
CERTIFICATE' from this file (cacert.crt).
and then in imapd.conf
tls_cert_file: /etc/ssl/cyrus-global.pem
tls_key_file: /etc/ssl/cyrus-global.pem
tls_ca_file: /etc/ssl/ca.cert
I haven't a clue really what I am doing but it seems to work with the
only problem is that entries in subjectAltName don't seem to work for
Outlook clients. I probably need to generate specific certs for each cn
but haven't gotten around to that yet. YMMV
ps - I used this info...
<http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/SSL-Certificates-
HOWTO>
Craig
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list