Thunderbird with cyrus-imapd: Why chose client certificate?
Frank Richter
frank.richter at hrz.tu-chemnitz.de
Fri Nov 14 03:20:02 EST 2008
> | Hi,
> | I've a cyrus-imapd 2.3.12 installation with these options in imapd.conf
> |
> | tls_cert_file: /etc/exim/etc/server.crt
> | tls_key_file: /etc/exim/etc/server.key
> | tls_ca_file: /etc/pki/tls/certs/ca-chain.crt
> | tls_require_cert: 0
> |
> | SSL and STARTTLS are working fine.
> |
> | I've imported a personal S/MIME certificate to thunderbird. When
> | connecting to the IMAP server (using STARTTLS), thunderbird asks me to
> | select a client cert, showing (translated from German):
> | This website (!) requires a certificate for identification ...
> | Chose a certificate ...
> |
> | The server doesn't and shouldn't accept client certificates.
> | So who is wrong? My configuration, thunderbird ...
>
> If you don't want to do client authentication, why do you set
> tls_ca_file at all ?
>
> If you really need a CA file with your server cert,
> you can include it in your tls_cert_file.
> And you only need to do that if you have your server
> cert signed by an intermediate CA and not a root
> certificate:
>
> - --------- -------------- --------
> |root CA| -> |intermediate| ->... |server|
> - --------- -------------- --------
> do not include in in
> include tls_cert_file tls_cert_file
Thanks, but ...
I did this - not defining a tls_ca_file, and adding my CA chain to
tls_cert_file. I'm getting the same behavior - Thunderbird is asking for a
client cert. And the log entry:
TLS server engine: No CA file specified. Client side certs may not work
Regards,
Frank
--
E-Mail: Frank.Richter at hrz.tu-chemnitz.de http://www.tu-chemnitz.de/~fri/
Work: Computing Services, Chemnitz University of Technology, Germany
More information about the Info-cyrus
mailing list