tls_ca_path and tls_ca_file

Andreas Benzing mail at andreas-benzing.de
Wed Oct 11 05:41:45 EDT 2006 

Hello Goetz,

Goetz Babin-Ebell wrote:
> Andreas Benzing schrieb:
>> Hello once more,
> Hello Andreas,
> 
>> Goetz Babin-Ebell wrote:
>>> Andreas Benzing schrieb:
>>>
>>> the tls_ca_path directory is used in certificate verification:
>>> of the issuer dn of the cert to verify is a checksum calculated,
>>> this 32 bit value is used as an file name in tls_ca_path to load
>>> the CA certificate.
>> Now this and the hint with c_rehash makes things clearer. I didn't know
>> that cyrus is only looking for specific filenames. So it works now =)
> 
> the 32 Bit hash is the only way to determine the file name
> from the subject / issuer DN...
> 
>> Which takes me to the next question that may be in the wrong place here:
>> I only came to this problem because when connecting with thunderbird
>> there was an error establishing an encrypted connection. After
>> investigating the logfiles I found that the server could not verify a
>> cert I wanted to use with thunderbird to sign messages.
>> Now the question is: Why did thunderbird try to authenticate with the
>> cert when my server (with the old config) did not have any CA certs at all?
> 
> Accepting client authentication without providing the list of
> acceptable CA certificates is a misconfiguration that is not
> common but happens.
> 
> My knowledge of the TLS specification is not that deep to know
> how the client and sever SHOULD act in this situation,
> but some clients pick a client certificate and send it to
> the server.
> OpenSSL allows this misconfiguration but requires that
> the client certificate is verified by callbacks provided
> by the user of the library.
> 
> To make it clear:
> 
> Server: "I accept client certificate but won't tell you
>          which CAs I trust"
> Client: "OK, let's try this one..."
> Server: "Sorry, I don't know your issuer."

After some more research I finally found out that Thunderbird should not 
yet try to authenticate with certs anyway. The whole thing is not 
completely implemented but cannot be switched off, except for having 
TBird ask for which cert to use every time and then "cancel".

THX for your help

Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20061011/91b66a2a/smime-0001.bin

More information about the Info-cyrus mailing list