Thunderbird with cyrus-imapd: Why chose client certificate?

Goetz Babin-Ebell goetz at shomitefo.de
Thu Nov 13 18:49:21 EST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jorey Bump wrote:
| Goetz Babin-Ebell wrote, at 11/13/2008 03:57 PM:
|
|> If you don't want to do client authentication, why do you set
|> tls_ca_file at all ?
|
| Hmm, I do it to suppress these errors:
|
|  TLS server engine: cannot load CA data

from 2.3.11 (imap/tls.c):

~    if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
~        (!SSL_CTX_set_default_verify_paths(s_ctx))) {
~        /* just a warning since this is only necessary for client auth*/
~        syslog(LOG_NOTICE,"TLS server engine: cannot load CA data");
~    }

It is not an error.
It is simply noise to confuse people who don't know the details.
Since you don't do client authentication you can ignore
this output or hack your cyrus to shut up.

The code handling SSL client authentication and for this is simply bad
and in need for a rewrite.

There is an old patch /drom 2005) that never was integrated:
https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2642

| Setting tls_ca_file to a properly formatted bundle suppresses the error,
| but now i'm wondering if that's a good idea. Will this expose my server
| in any way? I don't see how, but the documentation (and error) is very
| sparse:
|
|  tls_ca_file: <none>
|     File containing one or more Certificate Authority (CA) certificates.
|
| There's no mention of client certificate authentication.

Unfortunately it is not documented that you normally only need
CA certificates if you do client authentication.

Basically setting it adds some useless overhead in the handshake
and a window the user has to click away if he has client certs
stored in his IMAP client...


Bye

Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJHL0B2iGqZUF3qPYRAkLlAJ9z9u1CyeWoQQtZ5Mr/WfnuSMdUBwCdEY4u
QBC+7o3kEVpx4+u7iICBGpU=
=1/U3
-----END PGP SIGNATURE-----


More information about the Info-cyrus mailing list