Sebastian Hagedorn wrote:
> Hi Jeff,
>
> --On 21. Januar 2009 11:19:31 -0500 Jeff Blaine <jblaine@xxxxxxxxxxxx>
> wrote:
>
>> Sorry for the delay -- I had my wedding and a brief
>> mini-honeymoon to attend to ;)
>
> congrats!
Thanks :)
>>> How about Thunderbird using a password for authentication? Is that an
>>> option at all?
>>
>> I realize this is a little "all over the road" here,
>> but bear with me as I am just trying to get something
>> working at this point for our users who are now
>> without secure IMAP :(
>>
>> With "TLS" selected in Thunderbird, I am given no
>> choice but to select a client certificate. See
>> attached images.
>
> I wonder why that is. The only reason that comes to mind is that you
> *have* a certificate. I don't and so I'm never asked to use it. So why
> don't you try removing your certificate? Honestly, I would expect the
> same to happen that happens when you use SSL, but you never know.
I'll try to do this and get back to you.
>> Another user reports that GNU Emacs with the Gnus
>> client works with SSL and port 993. I've confirmed
>> this in the log:
>>
>> Jan 21 11:11:03 imapsrv imaps[14170]: [ID 277583 local6.notice] login:
>> jimbo-host.our.com [xx.xx.50.67] jimbo plaintext+TLS User logged in
>>
>> If I configure Thunderbird to do that (SSL via 993),
>> I get the following:
>>
>> Jan 21 11:10:19 imapsrv imaps[14104]: [ID 636471 local6.notice] TLS
>> server engine: cannot load CA data
>> Jan 21 11:10:19 imapsrv imaps[14104]: [ID 286863 local6.notice]
>> imapd:Loading hard-coded DH parameters
>> Jan 21 11:10:19 imapsrv imaps[14104]: [ID 798856 local6.notice] imaps TLS
>> negotiation failed: myclient.our.com
>> Jan 21 11:10:19 imapsrv imaps[14104]: [ID 637875 local6.error] Fatal
>> error: tls_start_servertls() failed
>
> I have no idea why that happens. I just tried it myself and got the
> following in our log:
>
> Jan 21 18:17:48 lvr13 imaps[9855]: accepted connection
> Jan 21 18:17:48 lvr13 imaps[9855]: SSL_accept() incomplete -> wait
> Jan 21 18:17:48 lvr13 imaps[9855]: SSL_accept() succeeded -> done
> Jan 21 18:17:48 lvr13 imaps[9855]: starttls: TLSv1 with cipher
> AES256-SHA (256/256 bits new) no authentication
> Jan 21 18:17:53 lvr13 imaps[9855]: login: [redacted] User logged in
>
> Could it be that your OpenSSL version or your certificate somehow don't
> support features that Thunderbird requires? I'm really no expert, but I
> know that client and server *negotiate* about these things. And the
> error reads "negotiation failed" ...
FWIW, Thunderbird with SSL on port 993 pops up a box saying
incorrect Message authentication code. I forgot to mention
that.
> If your server is accessible over the Internet, perhaps I could try
> connecting to it with "openssl s_client". That might tell us something.
> You can try that as well, of course.
Obvious sanitizing below:
bash-2.05# /imapsrv/bin/openssl s_client -connect imapsrv:993
CONNECTED(00000004)
depth=0 /O=our.com/OU=Servers/CN=imapsrv.our.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=our.com/OU=Servers/CN=imapsrv.our.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=our.com/OU=Servers/CN=imapsrv.our.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/O=our.com/OU=Servers/CN=imapsrv.our.com
i:/O=our.com/OU=Certificate Authority/CN=Our Corporation Primary CA-1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDWzCCAkOgAwIBAgICKCQw--blah-blah...
blah...6nfEfM9VDXKFAQw1EpXU=
-----END CERTIFICATE-----
subject=/O=our.com/OU=Servers/CN=imapsrv.our.com
issuer=/O=our.com/OU=Certificate Authority/CN=Our Corporation Primary CA-1
---
No client certificate CA names sent
---
SSL handshake has read 1427 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 7CFF7259D4E28002.....................8BC4F829E0C0FC90700
Session-ID-ctx:
Master-Key:
FDA05F594004CE18421274................490D4B93678C4.............8DBD9610C89D
Key-Arg : None
Start Time: 1232559254
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN SASL-IR]
imapsrv.our.com Cyrus IMAP v2.3.13 server ready
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
