Re: tls_ca_path and tls_ca_file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Goetz,

Goetz Babin-Ebell wrote:
Andreas Benzing schrieb:
Hello once more,
Hello Andreas,

Goetz Babin-Ebell wrote:
Andreas Benzing schrieb:

the tls_ca_path directory is used in certificate verification:
of the issuer dn of the cert to verify is a checksum calculated,
this 32 bit value is used as an file name in tls_ca_path to load
the CA certificate.
Now this and the hint with c_rehash makes things clearer. I didn't know
that cyrus is only looking for specific filenames. So it works now =)

the 32 Bit hash is the only way to determine the file name
from the subject / issuer DN...

Which takes me to the next question that may be in the wrong place here:
I only came to this problem because when connecting with thunderbird
there was an error establishing an encrypted connection. After
investigating the logfiles I found that the server could not verify a
cert I wanted to use with thunderbird to sign messages.
Now the question is: Why did thunderbird try to authenticate with the
cert when my server (with the old config) did not have any CA certs at all?

Accepting client authentication without providing the list of
acceptable CA certificates is a misconfiguration that is not
common but happens.

My knowledge of the TLS specification is not that deep to know
how the client and sever SHOULD act in this situation,
but some clients pick a client certificate and send it to
the server.
OpenSSL allows this misconfiguration but requires that
the client certificate is verified by callbacks provided
by the user of the library.

To make it clear:

Server: "I accept client certificate but won't tell you
         which CAs I trust"
Client: "OK, let's try this one..."
Server: "Sorry, I don't know your issuer."

After some more research I finally found out that Thunderbird should not yet try to authenticate with certs anyway. The whole thing is not completely implemented but cannot be switched off, except for having TBird ask for which cert to use every time and then "cancel".

THX for your help

Andreas

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux