confusion about setting up certificates

Jim Miller jimm at simutronics.com
Thu Mar 17 15:36:44 EST 2005 

Hi everyone,

My apologies if this rambles on abit but I'm very frustrated and can't seem
to figure out what I'm missing.  I've setup cyrus-imap 2.2.10 to use openssl
certificates, users can connect and get mail just fine until I set
tls_require_certs: true -- When I do this Outlook users can no longer
connect but Thunderbird users can.

I would greatly appreciate any suggestions.

Here's the process I followed to setup my certificates -- I didn't
do -nodes:
openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 1825
openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM \
		-out tempreq.pem -outform PEM
openssl rsa < tempkey.pem > cyrus_key.pem
openssl ca -in tempreq.pem -out cyrus_crt.pem

cat cyrus_key.pem cyrus_crt.pem cacert.pem > /var/lib/cyrus/cyrus.pem

Set this in imapd.conf
tls_ca_file: /var/lib/cyrus/cyrus.pem
tls_cert_file: /var/lib/cyrus/cyrus.pem
tls_key_file: /var/lib/cyrus/cyrus.pem


I then distribute the cacert.pem as mailserver.crt and users import it into
IE/Thunderbird w/out problem.

Next I created a .p12 file from the cyrus_crt.pem for import into
IE/Thunderbird again w/out problems.  Here's the process that I use to
generate it.
openssl pkcs12 -export -in cyrus_crt.pem -inkey cyrus_key.pem \
-name "result of - openssl x509 -noout -in cyrus_crt.pem -subject | sed -e
's;.*CN=;;' =-e 's;/Em.*;;'" \
-cname "result of - openssl x509 -noout -n cacert.pem -subject | sed -e
's;.*CN=;;' -e 's;Em.*;;'" \
-out mailserver.p12

Here's the output from SSLDUMP for Outlook
New TCP connection #4:
4 1  0.0006 (0.0006)  C>S SSLv2 compatible client hello
  Version 3.1
  cipher suites
  TLS_RSA_WITH_RC4_128_MD5
  TLS_RSA_WITH_RC4_128_SHA
  TLS_RSA_WITH_3DES_EDE_CBC_SHA
  SSL2_CK_RC4
  SSL2_CK_3DES
  SSL2_CK_RC2
  TLS_RSA_WITH_DES_CBC_SHA
  SSL2_CK_DES
  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
  TLS_RSA_EXPORT_WITH_RC4_40_MD5
  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
  SSL2_CK_RC4_EXPORT40
  SSL2_CK_RC2_EXPORT40
4 2  0.3764 (0.3757)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          xx 44 xx b4 xx 11 xx ee xx 7b xx a2 xx f7 xx f3
          5c xx da xx a3 xx 21 xx 6a xx 25 xx 62 xx 9a xx
        cipherSuite         TLS_RSA_WITH_RC4_128_MD5
        compressionMethod                   NULL
4 3  0.3765 (0.0000)  S>C  Handshake
      Certificate
4 4  0.3765 (0.0000)  S>C  Handshake
      CertificateRequest
        certificate_types                   rsa_sign
        certificate_types                   dss_sign
        certificate_authority
		LINES removed
          53 69 6d 75 xx 72 6f 6e 69 63 xx 20 43 6f 72 70
          63 73 2e 63 6f 6d       ServerHelloDone
4 5  0.3794 (0.0029)  C>S  Handshake
      Certificate
      ClientKeyExchange
4 6  0.3794 (0.0000)  C>S  ChangeCipherSpec
4 7  0.3794 (0.0000)  C>S  Handshake
4 8  0.3798 (0.0004)  S>C  Alert
    level           fatal
    value           handshake_failure
4    0.3802 (0.0004)  C>S  TCP FIN



Here's the output for Thunderbird w/SSLDUMP:
New TCP connection #1:
1 1  0.0008 (0.0008)  C>S SSLv2 compatible client hello
  Version 3.1
  cipher suites
  SSL2_CK_RC4
  SSL2_CK_RC2
  SSL2_CK_3DES
  SSL2_CK_DES
  SSL2_CK_RC4_EXPORT40
  SSL2_CK_RC2_EXPORT40
  Unknown value 0x39
  Unknown value 0x38
  Unknown value 0x35
  Unknown value 0x33
  Unknown value 0x32
  TLS_RSA_WITH_RC4_128_MD5
  TLS_RSA_WITH_RC4_128_SHA
  Unknown value 0x2f
  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  Unknown value 0xfeff
  TLS_RSA_WITH_3DES_EDE_CBC_SHA
  TLS_DHE_RSA_WITH_DES_CBC_SHA
  TLS_DHE_DSS_WITH_DES_CBC_SHA
  Unknown value 0xfefe
  TLS_RSA_WITH_DES_CBC_SHA
  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
  TLS_RSA_EXPORT_WITH_RC4_40_MD5
  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
1 2  0.0053 (0.0045)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          xx 74 xx 33 xx cc xx 49 xx 3e xx c0 bd xx 0b xx
          a8 xx 5f xx 7d xx b1 xx 79 be 3b xx 2a 69 f0 9d
        cipherSuite         TLS_RSA_WITH_RC4_128_MD5
        compressionMethod                   NULL
1 3  0.0054 (0.0000)  S>C  Handshake
      Certificate
1 4  0.0054 (0.0000)  S>C  Handshake
      CertificateRequest
        certificate_types                   rsa_sign
        certificate_types                   dss_sign
        certificate_authority
		LINES removed
          53 69 6d 75 xx 72 6f 6e 69 63 xx 20 43 6f 72 70
          63 73 2e 63 6f 6d
      ServerHelloDone
1 5  0.1347 (0.1293)  C>S  Handshake
      Certificate
      ClientKeyExchange
      CertificateVerify
        Signature[256]=
		LINES removed
          53 69 6d 75 xx 72 6f 6e 69 63 xx 20 43 6f 72 70
          63 73 2e 63 6f 6d 1 6  0.1347 (0.0000)  C>S  ChangeCipherSpec
1 7  0.1347 (0.0000)  C>S  Handshake
1 8  0.1563 (0.0215)  S>C  ChangeCipherSpec
1 9  0.1563 (0.0000)  S>C  Handshake
1 10 0.3315 (0.1752)  S>C  application_data
1 11 0.4106 (0.0790)  C>S  application_data
1 12 0.4108 (0.0002)  S>C  application_data




Thanks,
Jim

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list