how to configure: turn off SSL_VERIFY_PEER flag for imap/tls

Leena Heino Leena.Heino at uta.fi
Tue Aug 4 03:30:48 EDT 2009 

On Tue, 4 Aug 2009, Zhang Weiwu wrote:

> Hello.
>
> I am trying to help my users workaround an issue which was described here:
> https://bugzilla.mozilla.org/show_bug.cgi?id=437683
>
> In short, cyrus imapd asked for tls client certificate, while user agent 
> thunderbird prompts user to select one. Since our deployment does not 
> require client certificate, and users have their email PGP certificate 
> installed, whatever PGP certificate user selects must be wrong, thus 
> user couldn't establish connection to imap server.

I've used patch like this to patch Cyrus IMAPD:
Add to your imapd.conf:
# Wheter to request client certificate with STARTTLS session.
#
##tls_request_cert: 1
# Wheter to request client certificate with STARTTLS session.
#
imap_tls_request_cert: 0
pop3_tls_request_cert: 0

Patch:
--- imap/tls.c.orig	Fri Oct 28 17:51:18 2005
+++ imap/tls.c	Thu Mar  2 12:45:28 2006
@@ -580,6 +580,7 @@
      const char   *s_cert_file;
      const char   *s_key_file;
      int    requirecert;
+    int    requestcert;
      int    timeout;

      if (tls_serverengine)
@@ -684,8 +688,11 @@
      SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb);

      verify_depth = verifydepth;
-    if (askcert!=0)
-	verify_flags |= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+    if (askcert!=0) {
+	requestcert = config_getswitch(IMAPOPT_TLS_REQUEST_CERT);
+	if (requestcert)
+	    verify_flags |= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+    }

      requirecert = config_getswitch(IMAPOPT_TLS_REQUIRE_CERT);
      if (requirecert)

--- lib/imapoptions	Wed Feb  1 21:44:06 2006
+++ lib/imapoptions	Thu Mar  2 12:45:28 2006
@@ -956,6 +956,9 @@
  /* File containing the private key belonging to the server
     certificate.  A value of "disabled" will disable SSL/TLS. */

+{ "tls_request_cert", 1, SWITCH }
+/* Request a client certificate for ALL services (imap, pop3, lmtp, sieve). */
+
  { "tls_require_cert", 0, SWITCH }
  /* Require a client certificate for ALL services (imap, pop3, lmtp, sieve). */

-- 
   Leena Heino              University of Tampere / Computer Centre
   ( liinu at uta.fi )      ( http://www.uta.fi/laitokset/tkk )

More information about the Info-cyrus mailing list