Re: Cyrus IMAP + Client certificate authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


>Thanks for your thoughts about that. Just one stupid question: How do I 
>tell cyrus-imap to accept TLS certificate at login? Should be possible 
>with SASL/EXTERNAL, right? If I add EXTERNAL to sasl_mech_list that 
>changes nothing. Trying to connect with Thunderbird (configured to 
>authenticate with a TLS certificate) it tells me the authentication 
>method isn't supported by the server.

Well, by the time SASL/EXTERNAL is invoked, the TLS negotiation should
have already taken place.  The sequence should be:

- Send client certificate

I don't know how much you know about how TLS works, so I'll explain a bit
for background.

As part of the TLS negotiation the TLS server tells the client, "here's
a list of CA's I will accept client certificates for".  So the first
question I would ask is, "Is Cyrus sending a list of CAs?"  You can check
this with the openssl command line utility "s_client".  E.g.:

% openssl s_client -starttls imap -connect imap-server:143

You'll see a bunch of stuff printed out.  What you WANT to see is:

Acceptable client certificate CA names
/C=CA-name/CN=your CA 1
/C=CA-name/CN=your CA 2

(Obviously this varies depending on your issuing CAs)

If you see:

No client certificate CA names sent

Then that's the problem.

The list of CAs sent I _believe_ is controlled by the config file
entry "tls_client_ca_file" (you should also probably set tls_client_ca_dir
pointing to a hashed directory containing the complete certificate
bundle for your PKI).  Also note the "tls_client_certs" entry which controls
whether or not a client certificate is optional, required, or disabled.
I also remember seeing that if you crank up logging on the IMAP server
it should log the certificate commonName if one was presented.

I see that openssl s_client also supports sending a client certificate
so you could test things out that way (I don't know if you're using
a smartcard or not, it looks like only newer openssls support that and
getting a smartcard working with openssl is a pain).


Cyrus: SASL
Delivery options:

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux