Thunderbird with cyrus-imapd: Why chose client certificate?

Jorey Bump list at joreybump.com
Thu Nov 13 12:06:01 EST 2008


Frank Richter wrote, at 11/05/2008 10:58 AM:
> Hi,
> I've a cyrus-imapd 2.3.12 installation with these options in imapd.conf
> 
> tls_cert_file: /etc/exim/etc/server.crt
> tls_key_file:  /etc/exim/etc/server.key
> tls_ca_file:   /etc/pki/tls/certs/ca-chain.crt
> tls_require_cert: 0
> 
> SSL and STARTTLS are working fine.
> 
> I've imported a personal S/MIME certificate to thunderbird. When 
> connecting to the IMAP server (using STARTTLS), thunderbird asks me to 
> select a client cert, showing (translated from German):
>     This website (!) requires a certificate for identification ...
>     Chose a certificate ...
> 
> The server doesn't and shouldn't accept client certificates.
> So who is wrong? My configuration, thunderbird ...
> 
> I hope somebody will enlighten me ...

Try appending the CA's root certificate for your personal S/MIME
certificate to the file specified in tls_ca_file.

FWIW, I use the bundle provided by curl
(/usr/share/curl/curl-ca-bundle.crt on my system), because it's in the
correct format. You might have to append additional certificates,
depending on your needs.

This seems to be related to Cyrus' behaviour whenever tls_ca_file is
defined. The best solution seems to be to use a general purpose bundle,
though I haven't tested it with client certificates.



More information about the Info-cyrus mailing list