Re: Cyrus IMAP + Client certificate authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>It works when trying with openssl and the K-9 mobile client. Thunderbird 
>still refuses connection - I'll need to spent some more time.

Thunderbird, unfortunately, doesn't have GREAT error messaging.  I have
run into a lot of cases where the "real" error is hidden and it flattens
down the error message to something that is generic and misleading.
You can sometimes find the right error by setting the MOZ_LOG environment
variable (I do not remember the format of that variable, but I am sure
a search will give it).

But I am wondering if Thunderbird even supports client certificate
authentication?  The options I see for authentication are "Normal
password", "Encrypted password", "Kerberos/GSSAPI", and "NTLM".  None
of those are really client certificate authentication (and they all
correspond to a specific SASL mechanism).  To contrast. Apple Mail lists
all of those mechanisms but ALSO has one called "External (TLS client
certificate)" and you explicitly pick the client certificate to use, and
that's what I'd expect for client certificate support.  The certificate
settings I know about in Thunderbird are for S/MIME support and those
have nothing to do with client authentication.

It sounds like from your other email that you've done all of the difficult
bits on the Cyrus side.  I know if you crank up logging in Cyrus you
should see if a client certificate was supplied by the client; if you
don't even get that from Thunderbird then I suspect either Thunderbird
doesn't support it or something else is failing early.

Oh, I realize that I had actually downloaded the Thunderbird source code
(not the latest one but not too old) for debugging purposes, and it DOES
look like it supports EXTERNAL.  I see this in
comm/mailnews/imap/src/nsImapProtocol.cpp:

  MOZ_LOG(IMAP, LogLevel::Debug,
          ("IMAP: trying auth method 0x%" PRIx64, m_currentAuthMethod));

  if (flag & kHasAuthExternalCapability) {
    char* base64UserName = PL_Base64Encode(userName, strlen(userName), nullptr);
    nsAutoCString command(GetServerCommandTag());
    command.AppendLiteral(" authenticate EXTERNAL ");
    command.Append(base64UserName);
    command.Append(CRLF);
    PR_Free(base64UserName);
    rv = SendData(command.get());
    ParseIMAPandCheckForNewMail();

I see stuff like this in ChoseAuthMethod():

  MOZ_LOG(IMAP, LogLevel::Debug,
          ("IMAP auth: server caps 0x%" PRIx64 ", pref 0x%" PRIx64
           ", failed 0x%" PRIx64 ", avail caps 0x%" PRIx64,
           serverCaps, m_prefAuthMethods, m_failedAuthMethods, availCaps));
  // clang-format off
  MOZ_LOG(IMAP, LogLevel::Debug,
          ("(GSSAPI = 0x%" PRIx64 ", CRAM = 0x%" PRIx64 ", NTLM = 0x%" PRIx64
           ", MSN = 0x%" PRIx64 ", PLAIN = 0x%" PRIx64 ", LOGIN = 0x%" PRIx64
           ", old-style IMAP login = 0x%" PRIx64
           ", auth external IMAP login = 0x%" PRIx64 ", OAUTH2 = 0x%" PRIx64 ")",
           kHasAuthGssApiCapability, kHasCRAMCapability, kHasAuthNTLMCapability,
           kHasAuthMSNCapability, kHasAuthPlainCapability, kHasAuthLoginCapability,
           kHasAuthOldLoginCapability, kHasAuthExternalCapability,
           kHasXOAuth2Capability));

So that suggests to me you should be able to glean some ideas as to what
is going on with the appropriate MOZ_LOG level.  I am wondering if you
imported your client certificate into Thunderbird?  That would be under
Preferences -> Privacy & Security -> Manage Certificates.

--Ken

------------------------------------------
Cyrus: SASL
Permalink: https://cyrus.topicbox.com/groups/sasl/Tc3867934b82f1aa6-Me442139a5e56e1642e46014b
Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription




[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux