how to configure: turn off SSL_VERIFY_PEER flag for imap/tls

[Zhang Weiwu]

Hello.

I am trying to help my users workaround an issue which was described here:
https://bugzilla.mozilla.org/show_bug.cgi?id=437683

In short, cyrus imapd asked for tls client certificate, while user agent 
thunderbird prompts user to select one. Since our deployment does not 
require client certificate, and users have their email PGP certificate 
installed, whatever PGP certificate user selects must be wrong, thus 
user couldn't establish connection to imap server.

Workarounds:

   1. Disable TLS on server or client (bad, their email wouldn't be safe
      then);
   2. Remove PGP certificate for our clients (bad, ditto);
   3. Ask users to switch from Thunderbird to Outlook Express (bad, I
      feel sicker if they do);
   4. Wait for Thunderbird to add an option to allow user to configure
      always not offer certificate to TLS server even if asked (bad,
      could be years' waiting);
   5. Configure cyrus so that it does not turn on SSL_VERIFY_PEER flag
      (of openssl), that imapd server do not ask user for client
      certificate (the only solution that looks feasible);

So 4 is the choice. Problem being I couldn't figure out how to configure 
it that way. I configured "tls_require_cert: false" which sets 
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, which controls if requires the client 
to provide the certificate (instead of SSL_VERIFY_PEER which controls if 
asks the client to provide the certificate).

So how do you suggest me handle the situation? Thanks a lot in advance!

-- 
锐业软服（北京）信息技术有限公司 Real Softservice

邮政编码：100089 北西环中路238号 柏彦大厦406b室
Beisihuan Zhong Road No. 238 Baiyan Building Unit 406B

Tel: +86 (10) 8231 8580
http://www.realss.com