Re: Cyrus IMAP + Client certificate authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 03.08.2023 14:37, Ken Hornstein via SASL wrote:
As part of the TLS negotiation the TLS server tells the client, "here's
a list of CA's I will accept client certificates for".  So the first
question I would ask is, "Is Cyrus sending a list of CAs?"  You can check
this with the openssl command line utility "s_client".  E.g.:

% openssl s_client -starttls imap -connect imap-server:143

You'll see a bunch of stuff printed out.  What you WANT to see is:

Acceptable client certificate CA names
/C=CA-name/CN=your CA 1
/C=CA-name/CN=your CA 2

I can see that list - so that part should be ok.

The list of CAs sent I _believe_ is controlled by the config file
entry "tls_client_ca_file" (you should also probably set tls_client_ca_dir
pointing to a hashed directory containing the complete certificate
bundle for your PKI).  Also note the "tls_client_certs" entry which controls
whether or not a client certificate is optional, required, or disabled.
I also remember seeing that if you crank up logging on the IMAP server
it should log the certificate commonName if one was presented.

I see that openssl s_client also supports sending a client certificate
so you could test things out that way (I don't know if you're using
a smartcard or not, it looks like only newer openssls support that and
getting a smartcard working with openssl is a pain).

I'm using a "normal" certificate - no smartcard. Trying to authenticate using openssl is a good advise. The next few days I won't have much time to spent on that but I'll get back to you next week.



Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux