Hello Goetz, Goetz Babin-Ebell wrote:
Andreas Benzing schrieb:Hello once more,Hello Andreas,Goetz Babin-Ebell wrote:Andreas Benzing schrieb: the tls_ca_path directory is used in certificate verification: of the issuer dn of the cert to verify is a checksum calculated, this 32 bit value is used as an file name in tls_ca_path to load the CA certificate.Now this and the hint with c_rehash makes things clearer. I didn't know that cyrus is only looking for specific filenames. So it works now =)the 32 Bit hash is the only way to determine the file name from the subject / issuer DN...Which takes me to the next question that may be in the wrong place here: I only came to this problem because when connecting with thunderbird there was an error establishing an encrypted connection. After investigating the logfiles I found that the server could not verify a cert I wanted to use with thunderbird to sign messages. Now the question is: Why did thunderbird try to authenticate with the cert when my server (with the old config) did not have any CA certs at all?Accepting client authentication without providing the list of acceptable CA certificates is a misconfiguration that is not common but happens. My knowledge of the TLS specification is not that deep to know how the client and sever SHOULD act in this situation, but some clients pick a client certificate and send it to the server. OpenSSL allows this misconfiguration but requires that the client certificate is verified by callbacks provided by the user of the library. To make it clear: Server: "I accept client certificate but won't tell you which CAs I trust" Client: "OK, let's try this one..." Server: "Sorry, I don't know your issuer."
After some more research I finally found out that Thunderbird should not yet try to authenticate with certs anyway. The whole thing is not completely implemented but cannot be switched off, except for having TBird ask for which cert to use every time and then "cancel".
THX for your help Andreas
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html