Disable client authentication with certificates
Wolfgang Breyha
wbreyha at gmx.net
Mon Dec 9 08:09:01 EST 2013
On 2013-12-07 10:08, Stefan Gofferje wrote:
> On 12/03/2013 09:28 PM, Stefan Gofferje wrote:
>> So why does Thunderbird ask me which certificate to use for
>> authentication? Does my Cyrus ask for a client certificate or does it
>> not? ^^
>
> Nobody a clue?
It depends. On IMAPS/POP3S ports cyrus never asks for client certs. On the
other hand it always asks for them doing STARTTLS. That's caused by the way
tls_init_serverengine() is called in imapd.c and pop3d.c.
You can either connect to ports 993/995 to prevent the use of client certs
or you can completely disable client certs with this patch (still works on
2.4.17):
----------------
# cat SOURCES/cyrus-imapd-2.3.14-disable_clientcerts.patch
diff -urN cyrus-imapd-2.3.14.orig/imap/imapd.c cyrus-imapd-2.3.14/imap/imapd.c
--- cyrus-imapd-2.3.14.orig/imap/imapd.c 2009-05-06 14:05:17.000000000 +0200
+++ cyrus-imapd-2.3.14/imap/imapd.c 2009-05-06 14:09:48.000000000 +0200
@@ -6764,7 +6764,7 @@
result=tls_init_serverengine("imap",
5, /* depth to verify */
- !imaps, /* can client auth? */
+ 0, /* can client auth? */
!imaps); /* TLS only? */
if (result == -1) {
diff -urN cyrus-imapd-2.3.14.orig/imap/pop3d.c cyrus-imapd-2.3.14/imap/pop3d.c
--- cyrus-imapd-2.3.14.orig/imap/pop3d.c 2009-05-06 14:05:17.000000000 +0200
+++ cyrus-imapd-2.3.14/imap/pop3d.c 2009-05-06 14:10:05.000000000 +0200
@@ -1077,7 +1077,7 @@
result=tls_init_serverengine("pop3",
5, /* depth to verify */
- !pop3s, /* can client auth? */
+ 0, /* can client auth? */
!pop3s); /* TLS only? */
if (result == -1) {
-------------------
Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha at gmx.net> | http://www.blafasel.at/
Vienna University Computer Center | Austria
More information about the Info-cyrus
mailing list