how to configure: turn off SSL_VERIFY_PEER flag for imap/tls
Vladimir Vassiliev
vova at edu.yar.ru
Tue Aug 4 03:13:46 EDT 2009
You can try this:
https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2642
On Вторник 04 августа 2009, Zhang Weiwu wrote:
> Hello.
>
> I am trying to help my users workaround an issue which was described here:
> https://bugzilla.mozilla.org/show_bug.cgi?id=437683
>
> In short, cyrus imapd asked for tls client certificate, while user agent
> thunderbird prompts user to select one. Since our deployment does not
> require client certificate, and users have their email PGP certificate
> installed, whatever PGP certificate user selects must be wrong, thus
> user couldn't establish connection to imap server.
>
> Workarounds:
>
> 1. Disable TLS on server or client (bad, their email wouldn't be safe
> then);
> 2. Remove PGP certificate for our clients (bad, ditto);
> 3. Ask users to switch from Thunderbird to Outlook Express (bad, I
> feel sicker if they do);
> 4. Wait for Thunderbird to add an option to allow user to configure
> always not offer certificate to TLS server even if asked (bad,
> could be years' waiting);
> 5. Configure cyrus so that it does not turn on SSL_VERIFY_PEER flag
> (of openssl), that imapd server do not ask user for client
> certificate (the only solution that looks feasible);
>
> So 4 is the choice. Problem being I couldn't figure out how to configure
> it that way. I configured "tls_require_cert: false" which sets
> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, which controls if requires the client
> to provide the certificate (instead of SSL_VERIFY_PEER which controls if
> asks the client to provide the certificate).
>
> So how do you suggest me handle the situation? Thanks a lot in advance!
>
--
Vladimir Vassiliev <vova at edu.yar.ru>
More information about the Info-cyrus
mailing list