After client authenticated STARTTLS, no EXTERNAL?

Simon Josefsson jas at extundo.com
Thu May 27 04:38:05 EDT 2004


Hello.  Is it possible to get client authenticated STARTTLS working
with Cyrus IMAPD, without a password login?

I'm assuming EXTERNAL would be used for this, so here is what I put in
imapd.conf:

sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5 EXTERNAL

However, even after successful client auth STARTTLS, the EXTERNAL
mechanism is not available.  Any ideas?

Thanks,
Simon

May 27 10:35:35 yxa-iv cyrus/imap[26577]: executed
May 27 10:35:35 yxa-iv cyrus/imapd[26577]: accepted connection
May 27 10:35:45 yxa-iv cyrus/imapd[26577]: Doing a peer verify
May 27 10:35:45 yxa-iv cyrus/imapd[26577]: Doing a peer verify
May 27 10:35:46 yxa-iv cyrus/imapd[26577]: mystore: starting txn 2147485235
May 27 10:35:46 yxa-iv cyrus/imapd[26577]: mystore: committing txn 2147485235
May 27 10:35:46 yxa-iv cyrus/imapd[26577]: received client certificate
May 27 10:35:46 yxa-iv cyrus/imapd[26577]: subject=/C=SE/ST=Stockholm/L=:Stockholm/O=YXA/OU=Simon Josefsson/CN=jas/emailAddress=simon at josefsson.org
May 27 10:35:46 yxa-iv cyrus/imapd[26577]: starttls: TLSv1 with cipher RC4-SHA (128/128 bits new) authenticated as jas

jas at latte:~$ /usr/bin/gnutls-cli -s -p 143 yxa.extundo.com --x509cafile cacert.pem --x509keyfile jas-key.pem --x509certfile jas-cert.pem
Processed 1 CA certificate(s).
Resolving 'yxa.extundo.com'...
Connecting to '217.13.230.178:143'...
 
- Simple Client Mode:
 
* OK yxa-iv Cyrus IMAP4 v2.1.16-IPv6-Debian-2.1.16-4 server ready
. capability
* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=DIGEST-MD5 AUTH=CRAM-MD5 LISTEXT LIST-SUBSCRIBED ANNOTATEMORE
. OK Completed
. starttls
. OK Begin TLS negotiation now
*** Starting TLS handshake
- Server's trusted authorities:
   [0]: C=SE,ST=Stockholm,L=Stockholm,O=YXA,OU=CA,CN=yxa.extundo.com,EMAIL=staff at yxa.extundo.com
- Certificate type: X.509
 - Got a certificate list of 2 certificates.
 
 - Certificate[0] info:
 # The hostname in the certificate matches 'yxa.extundo.com'.
 # valid since: Sun May 23 22:40:00 CEST 2004
 # expires at: Sun Jul 23 22:40:00 CEST 2023
 # serial number: 03
 # fingerprint: cc 42 11 fd 80 da 1f 56 db dc 90 1b 42 c2 aa 8c
 # version: #1
 # public key algorithm: RSA
 #   Modulus: 1024 bits
 # Subject's DN: C=SE,ST=Stockholm,L=Stockholm,O=YXA,OU=Mail server,CN=yxa.extundo.com,EMAIL=staff at yxa.extundo.com
 # Issuer's DN: C=SE,ST=Stockholm,L=Stockholm,O=YXA,OU=CA,CN=yxa.extundo.com,EMAIL=staff at yxa.extundo.com
 
 - Certificate[1] info:
 # valid since: Sun May 23 11:35:00 CEST 2004
 # expires at: Sun Jul 23 11:35:00 CEST 2023
 # serial number: 00
 # fingerprint: fc 76 d8 63 1a c9 0b 3b fa 40 fe ed 47 7a 58 ae
 # version: #3
 # public key algorithm: RSA
 #   Modulus: 1024 bits
 # Subject's DN: C=SE,ST=Stockholm,L=Stockholm,O=YXA,OU=CA,CN=yxa.extundo.com,EMAIL=staff at yxa.extundo.com
 # Issuer's DN: C=SE,ST=Stockholm,L=Stockholm,O=YXA,OU=CA,CN=yxa.extundo.com,EMAIL=staff at yxa.extundo.com
 
 
- Peer's certificate is trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: ARCFOUR 128
- MAC: SHA
- Compression: NULL
. capability
* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 LISTEXT LIST-SUBSCRIBED ANNOTATEMORE
. OK Completed
. authenticate EXTERNAL
. NO no mechanism available
. logout
* BYE LOGOUT received
. OK Completed
*** Fatal error: A TLS packet with unexpected length was received.
*** Server has terminated the connection abnormally.

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list