Thunderbird with cyrus-imapd: Why chose client certificate?

Goetz Babin-Ebell goetz at shomitefo.de
Thu Nov 13 15:57:44 EST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Richter wrote:
| Hi,
| I've a cyrus-imapd 2.3.12 installation with these options in imapd.conf
|
| tls_cert_file: /etc/exim/etc/server.crt
| tls_key_file:  /etc/exim/etc/server.key
| tls_ca_file:   /etc/pki/tls/certs/ca-chain.crt
| tls_require_cert: 0
|
| SSL and STARTTLS are working fine.
|
| I've imported a personal S/MIME certificate to thunderbird. When
| connecting to the IMAP server (using STARTTLS), thunderbird asks me to
| select a client cert, showing (translated from German):
|     This website (!) requires a certificate for identification ...
|     Chose a certificate ...
|
| The server doesn't and shouldn't accept client certificates.
| So who is wrong? My configuration, thunderbird ...

If you don't want to do client authentication, why do you set
tls_ca_file at all ?

If you really need a CA file with your server cert,
you can include it in your tls_cert_file.
And you only need to do that if you have your server
cert signed by an intermediate CA and not a root
certificate:

- ---------    --------------       --------
|root CA| -> |intermediate| ->... |server|
- ---------    --------------       --------
do not       include in           in
include      tls_cert_file        tls_cert_file


Bye

Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJHJTI2iGqZUF3qPYRAnl9AJ43rnyStSA+3R1rQxEBKRpLxFAklACffN4a
nvsQq/nE12+gTdQttGDyn0M=
=ZlAs
-----END PGP SIGNATURE-----


More information about the Info-cyrus mailing list