can anyone *confirm* TLS function in Cyrus-Imap (v2.3.7) ?

Richard openmacnews at gmail.com
Fri Aug 11 16:19:28 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

hi mitu,

Cristi Mitrana wrote, On 8/11/06 12:52 PM:
>  Are you sure that the file above is a x.509 valid certificate and not
> it's private key ?

i'd actually resolved this & posted the info to the dev list -- which i
just realised is a closed archive.

so, i'll just repost to this thread for posterity ...
thanks for the reminder :-)

richard


===============================
hi,

	this is an FYI of a problem with CyrusIMAPd + OSX + OpenSSL.
	it's real & reproducible.
	it's an openssl problem, but it affect TLS w/ Cyrus.
	there's a fix.
	someone here should be aware of this.
	hth!



i've installed on OSX 10.4.7:

	cyrus-imapd-2.3.7
	OpenSSL 0.9.8b

i'm working on getting TLS installed/operational.

i've config'd imapd.conf

	tls_ca_file:     /var/MailServer/Data/CERTS/main.CA.cert.rsa.pem
	tls_cert_file:
/var/MailServer/Data/CERTS/mail.testdomain.com.CYRUSkey.rsa.pem
	tls_key_file:
/var/MailServer/Data/CERTS/mail.testdomain.com.CYRUSkey.rsa.pem

on:

	imtest -v \
	  -t "/var/MailServer/Data/CERTS/mail.testdomain.com.CYRUSkey.rsa.pem" \
	  -p imap \
	  -m digest-md5 \
	  -a devuser.admin at mail.testdomain.com \
	  -u devuser.admin at mail.testdomain.com \
	  -r mail.testdomain.com \
	  mail.testdomain.com


i was getting repeated failures:

	S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED
AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 SASL-IR]
mail.testdomain.com Cyrus IMAP4 v2.3.7 server ready
	C: C01 CAPABILITY
	S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED
AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 SASL-IR ACL RIGHTS=kxte
QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT
CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT
THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT
LIST-SUBSCRIBED URLAUTH
	S: C01 OK Completed
	C: S01 STARTTLS
	S: S01 OK Begin TLS negotiation now
	starting TLS engine
	unable to get certificate from
'/var/MailServer/Data/CERTS/mail.testdomain.com.CYRUSkey.rsa.pem'
	TLS engine: cannot load cert/key data
	Start TLS engine failed
	Asking for capabilities again since they might have changed
	C: C01 CAPABILITY
	S: S01 NO Starttls negotiation failed
	S: * BAD Invalid tag


on check of cert installation:

	openssl s_client -connect mail.testdomain.com:993 -showcerts

i noted:

	16458:error:25066067:DSO support routines:DLFCN_LOAD:could not load the
shared library:dso_dlfcn.c:162:filename(libz.so): dlopen(libz.so, 2):
image not found
	16458:error:25070067:DSO support routines:DSO_load:could not load the
shared library:dso_lib.c:244:
CONNECTED(00000003)
	...


after digging, i was able to identify/reproduce re: "dso_lib.c":


	openssl engine gmp
		16515:error:2506406A:DSO support routines:DLFCN_BIND_FUNC:could not
	bind to the requested symbol name:dso_dlfcn.c:261:symname(bind_engine):
	dlsym(0x200e40, bind_engine): symbol not found
		16515:error:2506C06A:DSO support routines:DSO_bind_func:could not bind
	to the requested symbol name:dso_lib.c:294:
		16515:error:260B6068:engine routines:DYNAMIC_LOAD:DSO
	failure:eng_dyn.c:463:
		16515:error:2606A074:engine routines:ENGINE_by_id:no such
	engine:eng_list.c:415:id=gmp


it turns out that openssl's gmp engine wants to bind, incorrectly,
against libz.so.

as my openssl is config'd w/:

# DO NOT USE zlib-dynamic \
# causes dynamic library loading issues with gmp engine ...

	./Configure \
	  --prefix=/usr/local/ssl \
	  --openssldir=/usr/local/ssl \
	  darwin-ppc-cc \
	  -DUSE_TOD \
	  threads \
	  shared \
- - -->	  zlib-dynamic \
	  enable-idea enable-rc5 enable-mdc2 \
	  -L/usr/local/lib \
	  -DOPENSSL_USE_GMP -lgmp

and:

	zlib-dynamic
		Like "zlib", but has OpenSSL load the zlib library
		dynamically when needed.  This is only supported on
		systems where loading of shared libraries is supported.
		This is the default choice.

and, dynamic loading of shared libs is certainly supported on OSX, the
openssl build *should* be linking against "libz.dylib" :

	ls -al /usr/local/lib/libz*
		-rwxr-xr-x 1 dev wheel 84808 Mar  7 20:23 /usr/local/lib/libz.1.2.3.dylib
		lrwxrwxrwx 1 dev wheel    16 Jun 22 18:13 /usr/local/lib/libz.1.dylib
- - - -> libz.1.2.3.dylib
		-rw-r--r-- 1 dev wheel 93720 Mar  7 20:23 /usr/local/lib/libz.a
		lrwxrwxrwx 1 dev wheel    16 Jun 22 18:13 /usr/local/lib/libz.dylib ->
libz.1.2.3.dylib

this issue *has* been communicated to the opensssl-dev list (still
pending a fix ...)

in the meantime, the "workaround" for Cyrus/TLS is to build openssl w/:

		./Configure \
		...
	---	  zlib-dynamic \
	+++	  zlib \
		...

instead.

  ( NOTE:  for other unrelated reasons, you may need to simply forego
the "zlib" altogehter, and link in -lz with LDFLAGS ...)

once done, retrying, as above:

	imtest -v \
	...

reports success as:

	S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED]
mail.testdomain.com Cyrus IMAP4 v2.3.7 server ready
	C: C01 CAPABILITY
	S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED ACL
RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME
UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE
IDLE LISTEXT LIST-SUBSCRIBED URLAUTH
	S: C01 OK Completed
	C: S01 STARTTLS
	S: S01 OK Begin TLS negotiation now
	verify error:num=19:self signed certificate in certificate chain
	TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
	C: C01 CAPABILITY
	S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=PLAIN
AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
AUTH=CRAM-MD5 AUTH=CRAM-MD5 SASL-IR ACL RIGHTS=kxte QUOTA
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT
THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT
LIST-SUBSCRIBED URLAUTH
	S: C01 OK Completed
	C: A01 AUTHENTICATE DIGEST-MD5
	...


and, as well:

	openssl s_client -connect mail.testdomain.com:993 -showcerts

reports w/o error:

	CONNECTED(00000003)
	...



Bottom Line:

	(1) openssl is broken.  it's been reported.
	(2) this is a Mac-only issue.
	(3) this gmp-related failure manifests w/ Cyrus+TLS,
            and nowhere else; so far all other apps haven't had
            any issue with TLS certs built with this 'broken' openssl


i honestly don't know why this "only" shows up in Cyrus.  is it a bug in
cyrus as well? or just in openssl?

either way, there's a workaround ... but, imho, this is worthy om
someone's nominal notice here.

cheers,

richard
===============================

- --

/"\
\ /  ASCII Ribbon Campaign
 X   against HTML email, vCards
/ \  & micro$oft attachments

[GPG] OpenMacNews at gmail dot com
fingerprint: 50C9 1C46 2F8F DE42 2EDB  D460 95F7 DDBD 3671 08C6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iEYEAREDAAYFAkTc5lAACgkQlffdvTZxCMZ81QCfRfZLGKfR/GXgNB5awFrIgCTR
K4QAniBHV+IUUOP3sP7g/9WCSYdTW7x1
=6HLn
-----END PGP SIGNATURE-----


More information about the Info-cyrus mailing list