TLS client authentication: allow optional client certificate

[brong]

From: Goetz Babin-Ebell
Bugzilla-Id: 2642
Version: 2.2.x
Owner: Ken Murchison

[brong]

From: Goetz Babin-Ebell

I have reworked the way how in imap/tls.c:tls_init_serverengine
the CA certificates are handled:

• I added the new (optional) parameter "tls_server_ca_file" containing
  the CA certificates that build the certificate chain for the server certificate.
  (if it is not set, the certificates are collected from
  tls_ca_file and tls_ca_path)
• now the list of acceptable CA certificates that may issue client certificates
  is generated from the "tls_ca_file".
  If this file contains no certificates, no client certificates are requested.
• I changed the parameter "tls_require_cert" to accept the 3 values:
  • "off": no client certificates are requested, processed
  • "optional": the client may send a client certificate
  • "require": client certificate is required
    Perhaps it is better to create an new parameter and declare the old one
    as deprecated.

Additionally I changed imtest:

• accept parameters to set CA file (-path) for server verification.
• fail if the server verification is wanted but failed
  (this includes fail if the CA certificate for the server is not known)
• generate a better error message if TLS failed
• allow IMAP over SSL with client certificate

[brong]

Attachment-Id: 338
From: Goetz Babin-Ebell
Type: text/plain
File: cyrus-imapd-2.2.12.diff

The patch containing my channges...

[brong]

From: Zhang Weiwu

Great. Since this patch is created more than four years ago 2005-04-01 is there a chance it gets accepted into the main source tree so I can simply upgrade my cyrus imapd?

[brong]

From: Goetz Babin-Ebell

Does it still apply ?

Since Thunderburb didn't really support client authentication
with the EXTERNAL method the last time I checked,
I somehow lost interest.

If you want to adopt the patch, I would be willing to help...

[brong]

From: Zhu Zhixin

have a look at .. :-)

[brong]

From: Zhu Zhixin

^_^ your patch seems works.

./configure --with-snmp=snmp/

make

make install

no error and when i connect to the imap server with icedove/thunderbird, the CA dialog now not appear.

[brong]

From: Zhang Weiwu

Glad to know. Thanks. May I ask which version does this apply to, when you say it applies "now"? I just guess providing this information would be helpful for those coming here from google.

[brong]

From: Zhang Weiwu

> no error and when i connect to the imap server with icedove/thunderbird, the
> CA dialog now not appear.

He was talking about the case when cyrus mis-behavior it trigger another mis-behavior in thunderbird which is recorded here:

https://bugzilla.mozilla.org/show_bug.cgi?id=437683

[brong]

From: Sebastian Hagedorn

FWIW, I found a (stupid) workaround for the Thunderbird problem. We switched CAs this morning and began having the issue that TB users with certificates signed by the new CA were prompted for them.
We never had this problem before, because we never used the old CA for personal certificates. So what I did was to set tls_ca_file to the old CA! The actual server certificates are from the new one, and that setting is only used for client certificate verification anyway.

So a generic workaround would be to create an empty CA that's never used and to point tls_ca_file to that ... ugly, but effective.

[brong]

From: Zhu Zhixin

(In reply to comment #6)
> Glad to know. Thanks. May I ask which version does this apply to, when you say
> it applies "now"? I just guess providing this information would be helpful for
> those coming here from google.
>

$ dpkg -l |grep cyrus-imapd
hi cyrus-imapd-2.2 2.2.13-14 Cyrus mail system (IMAP support)

[brong]

From: Jeroen van Meeuwen (Kolab Systems)

I'm going to attempt to apply these patches to master, thanks.

[brong]

From: Jeroen van Meeuwen (Kolab Systems)

(In reply to comment #0)
> I have reworked the way how in imap/tls.c:tls_init_serverengine
> the CA certificates are handled:
>
> * I added the new (optional) parameter "tls_server_ca_file" containing
> the CA certificates that build the certificate chain for the server certificate.
> (if it is not set, the certificates are collected from
> tls_ca_file and tls_ca_path)
> * now the list of acceptable CA certificates that may issue client certificates is generated from the "tls_ca_file".
> If this file contains no certificates, no client certificates are requested.

I take it your "tls_server_ca_file" setting is actually supposed to represent the CA certificate (chain) used to issue client certificates with - correct? If so, I'd say client_ca_cert is a more appropriate name.

[elliefm]

I don't know if Jeroen ever got anywhere with this, but it doesn't apply cleanly anymore.

patching file imap/tls.c
Hunk #1 FAILED at 578.
Hunk #2 FAILED at 673.
Hunk #3 FAILED at 685.
3 out of 3 hunks FAILED -- saving rejects to file imap/tls.c.rej
patching file imtest/imtest.c
Hunk #1 FAILED at 372.
Hunk #2 succeeded at 476 (offset -3 lines).
Hunk #3 FAILED at 515.
Hunk #4 FAILED at 536.
Hunk #5 FAILED at 684.
Hunk #6 FAILED at 2177.
Hunk #7 FAILED at 2294.
Hunk #8 FAILED at 2355.
Hunk #9 FAILED at 2503.
Hunk #10 FAILED at 2550.
9 out of 10 hunks FAILED -- saving rejects to file imtest/imtest.c.rej
patching file lib/imapoptions
Hunk #1 FAILED at 795.
Hunk #2 FAILED at 807.
2 out of 2 hunks FAILED -- saving rejects to file lib/imapoptions.rej

Also, the tls_server_ca_file imapd.conf setting that it tries to add already exists (though I don't know whether its purpose is the same). So maybe this functionality has been implemented or merged already?

Closing this anyway, since one way or another, no-one seems to have cared about it in years.