tls_*_cert in 2.2.3

Ian G Batten I.G.Batten at ftel.co.uk
Wed Feb 4 06:24:21 EST 2004


I wiped out access to my Cyrus store for my father and my wife which I
went to 2.2.3.  It turned out that the problem was that when they
connected with TLS (I didn't test that, sadly) imapd immediately exited
with ``imaps: required OpenSSL options not present''.

I traced through the source to tls_enabled() in imap/tls.c, which was
returning 0.  I was successfully using split certificates for POP, IMAP
and so on under 2.1.16:

tls_imap_cert_file: /var/imap/certs/imap-cert.pem
tls_imap_key_file: /var/imap/certs/imap-private.pem
tls_pop3_cert_file: /var/imap/certs/pop-cert.pem
tls_pop3_key_file: /var/imap/certs/pop-private.pem
tls_lmtp_cert_file: disabled
tls_lmtp_key_file: disabled

In 2.2.3, doc/install-configure.html still says:

<li>Add the following to <tt>/etc/imapd.conf</tt> to tell the server
where to find the certificate and key file (used for ALL services):

<pre>tls_cert_file: /var/imap/server.pem
tls_key_file: /var/imap/server.pem
</pre>

Optionally, you can use separate certificates and key files for each
service:

<pre>tls_imap_cert_file: /var/imap/imap-server.pem
tls_imap_key_file: /var/imap/imap-server.pem
[...]

You in fact can't use tls_*_cert_file.  In the 2.1.16 tls.c, tls_enabled()
does:

    snprintf(buf, sizeof(buf), "tls_%s_cert_file", ident);
    val = config_getstring(buf,
                           config_getstring("tls_cert_file", NULL));
    if (!val || !strcasecmp(val, "disabled")) return 0;

and so on, and tls_init_serverengine() does:

    snprintf(buf, sizeof(buf), "tls_%s_cert_file", ident);
    s_cert_file = config_getstring(buf,
                                   config_getstring("tls_cert_file", NULL));

    snprintf(buf, sizeof(buf), "tls_%s_key_file", ident);
    s_key_file = config_getstring(buf,
                                  config_getstring("tls_key_file", NULL));

In 2.2.3, the same functions do:

    val = config_getstring(IMAPOPT_TLS_CERT_FILE);
    if (!val || !strcasecmp(val, "disabled")) return 0;

and

    s_cert_file = config_getstring(IMAPOPT_TLS_CERT_FILE);
    s_key_file = config_getstring(IMAPOPT_TLS_KEY_FILE);

lib/imapopts.c has:

  { IMAPOPT_TLS_CERT_FILE, "tls_cert_file", 0, (union config_value)((const char *) NULL), OPT_STRING, {  { NULL, IMAP_ENUM_ZERO } } },

So far as I can make out this breaks the ability to have distinct keys
for distinct services on the same machine.  I've worked around it by
using the IMAP key for everything, knowing that only I used the POP3S
service and I can ignore the certificate mis-match.  I'm not sure why
the functionality has been removed, but either it should be put back in
or the documentation should be changed and something added to the change
log.

ian







More information about the Info-cyrus mailing list