You can try this:https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2642 On Вторник 04 августа 2009, Zhang Weiwu wrote:> Hello.> > I am trying to help my users workaround an issue which was described here:> https://bugzilla.mozilla.org/show_bug.cgi?id=437683> > In short, cyrus imapd asked for tls client certificate, while user agent > thunderbird prompts user to select one. Since our deployment does not > require client certificate, and users have their email PGP certificate > installed, whatever PGP certificate user selects must be wrong, thus > user couldn't establish connection to imap server.> > Workarounds:> > 1. Disable TLS on server or client (bad, their email wouldn't be safe> then);> 2. Remove PGP certificate for our clients (bad, ditto);> 3. Ask users to switch from Thunderbird to Outlook Express (bad, I> feel sicker if they do);> 4. Wait for Thunderbird to add an option to allow user to configure> always not offer certificate to TLS server even if asked (bad,> could be years' waiting);> 5. Configure cyrus so that it does not turn on SSL_VERIFY_PEER flag> (of openssl), that imapd server do not ask user for client> certificate (the only solution that looks feasible);> > So 4 is the choice. Problem being I couldn't figure out how to configure > it that way. I configured "tls_require_cert: false" which sets > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, which controls if requires the client > to provide the certificate (instead of SSL_VERIFY_PEER which controls if > asks the client to provide the certificate).> > So how do you suggest me handle the situation? Thanks a lot in advance!> -- Vladimir Vassiliev <vova@xxxxxxxxxx>----Cyrus Home Page: http://cyrusimap.web.cmu.edu/Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twikiList Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
