Disable client authentication with certificates

Stefan Gofferje lists at home.gofferje.net
Tue Dec 3 14:28:26 EST 2013 

On 12/03/2013 08:01 PM, Dan White wrote:
>> On 12/03/2013 04:39 PM, Dan White wrote:
> This looks successful, from the server's viewpoint.

Yesyes, when I click "cancel" when Thunderbird asks which certificate to
use, everything goes fine.

However, if I *do* tell Thunderbird to use a certificate, the following
happens:
Dec  3 21:19:50 home imap[17566]: executed
Dec  3 21:19:50 home imap[17566]: accepted connection
Dec  3 21:19:50 home imap[17567]: executed
Dec  3 21:19:50 home imap[17567]: accepted connection
Dec  3 21:19:50 home imap[17568]: executed
Dec  3 21:19:50 home imap[17568]: accepted connection
Dec  3 21:19:58 home imap[17568]: DBMSG: 20 lockers
Dec  3 21:19:58 home imap[17568]: TLS server engine: cannot load CA data
Dec  3 21:19:58 home imap[17566]: TLS server engine: cannot load CA data
Dec  3 21:19:58 home imap[17566]: imapd:Loading hard-coded DH parameters
Dec  3 21:19:58 home imap[17568]: imapd:Loading hard-coded DH parameters
Dec  3 21:19:58 home imap[17567]: TLS server engine: cannot load CA data
Dec  3 21:19:58 home imap[17567]: imapd:Loading hard-coded DH parameters
Dec  3 21:19:58 home imap[17566]: SSL_accept() incomplete -> wait
Dec  3 21:19:58 home imap[17568]: SSL_accept() incomplete -> wait
Dec  3 21:19:58 home imap[17567]: SSL_accept() incomplete -> wait
Dec  3 21:20:11 home imap[20102]: fetching user_deny.db entry for 'xxxxxxxx'
Dec  3 21:20:11 home imap[20104]: fetching user_deny.db entry for 'xxxxxxxx'
Dec  3 21:20:11 home imap[17566]: Doing a peer verify
Dec  3 21:20:11 home imap[17566]: verify error:num=20:unable to get
local issuer certificate
Dec  3 21:20:11 home imap[17566]: no certificate returned in
SSL_accept() -> fail
Dec  3 21:20:11 home imap[17566]: STARTTLS negotiation failed:
enterprise.net.loc [xxx.xxx.xxx.xxx]
Dec  3 21:20:11 home imap[17566]: Connection reset by peer, closing
connection
Dec  3 21:20:11 home imap[20104]: fetching user_deny.db entry for 'xxxxxxxx'
Dec  3 21:20:11 home imap[20102]: fetching user_deny.db entry for 'xxxxxxxx'
Dec  3 21:20:12 home imap[20104]: SQUAT failed to open index file
Dec  3 21:20:12 home imap[20104]: SQUAT failed
Dec  3 21:20:12 home imap[20104]: fetching user_deny.db entry for 'xxxxxxxx'
Dec  3 21:20:12 home imap[20104]: fetching user_deny.db entry for 'xxxxxxxx'
Dec  3 21:20:13 home imap[20104]: fetching user_deny.db entry for 'xxxxxxxx'
Dec  3 21:20:14 home imap[17567]: Doing a peer verify
Dec  3 21:20:14 home imap[17567]: verify error:num=20:unable to get
local issuer certificate
Dec  3 21:20:14 home imap[17567]: no certificate returned in
SSL_accept() -> fail
Dec  3 21:20:14 home imap[17567]: STARTTLS negotiation failed:
enterprise.net.loc [xxx.xxx.xxx.xxx]
Dec  3 21:20:17 home imap[17568]: Doing a peer verify
Dec  3 21:20:17 home imap[17568]: verify error:num=20:unable to get
local issuer certificate
Dec  3 21:20:17 home imap[17568]: no certificate returned in
SSL_accept() -> fail
Dec  3 21:20:17 home imap[17568]: STARTTLS negotiation failed:
enterprise.net.loc [xxx.xxx.xxx.xxx]
Dec  3 21:20:17 home imap[17567]: Connection reset by peer, closing
connection

> imtest -t "" <host>
> 
> will attempt a starttls connection without submitting a client certificate.
> If that succeeds, then it proves that your server supports TLS without
> client authentication.

I know that is does :) - see above... But here is the output:

S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=GSSAPI
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN SASL-IR
COMPRESS=DEFLATE] home.gofferje.net Cyrus IMAP v2.3.16 server ready
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=20:unable to get local issuer certificate
verify error:num=27:certificate not trusted
verify error:num=21:unable to verify the first certificate
TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=GSSAPI AUTH=DIGEST-MD5
AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL
RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME
UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE
SCAN IDLE X-NETSCAPE URLAUTH
S: C01 OK Completed
Authentication failed. generic failure
Security strength factor: 256


So why does Thunderbird ask me which certificate to use for
authentication? Does my Cyrus ask for a client certificate or does it
not? ^^

-S


-- 
 (o_   Stefan Gofferje            | SCLT, MCP, CCSA
 //\   Reg'd Linux User #247167   | VCP #2263
 V_/_  Heckler & Koch - the original point and click interface



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4079 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20131203/f637267f/attachment-0001.bin

More information about the Info-cyrus mailing list