On Tue, 4 Aug 2009, Zhang Weiwu wrote: > Hello. > > I am trying to help my users workaround an issue which was described here: > https://bugzilla.mozilla.org/show_bug.cgi?id=437683 > > In short, cyrus imapd asked for tls client certificate, while user agent > thunderbird prompts user to select one. Since our deployment does not > require client certificate, and users have their email PGP certificate > installed, whatever PGP certificate user selects must be wrong, thus > user couldn't establish connection to imap server. I've used patch like this to patch Cyrus IMAPD: Add to your imapd.conf: # Wheter to request client certificate with STARTTLS session. # ##tls_request_cert: 1 # Wheter to request client certificate with STARTTLS session. # imap_tls_request_cert: 0 pop3_tls_request_cert: 0 Patch: --- imap/tls.c.orig Fri Oct 28 17:51:18 2005 +++ imap/tls.c Thu Mar 2 12:45:28 2006 @@ -580,6 +580,7 @@ const char *s_cert_file; const char *s_key_file; int requirecert; + int requestcert; int timeout; if (tls_serverengine) @@ -684,8 +688,11 @@ SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb); verify_depth = verifydepth; - if (askcert!=0) - verify_flags |= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; + if (askcert!=0) { + requestcert = config_getswitch(IMAPOPT_TLS_REQUEST_CERT); + if (requestcert) + verify_flags |= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; + } requirecert = config_getswitch(IMAPOPT_TLS_REQUIRE_CERT); if (requirecert) --- lib/imapoptions Wed Feb 1 21:44:06 2006 +++ lib/imapoptions Thu Mar 2 12:45:28 2006 @@ -956,6 +956,9 @@ /* File containing the private key belonging to the server certificate. A value of "disabled" will disable SSL/TLS. */ +{ "tls_request_cert", 1, SWITCH } +/* Request a client certificate for ALL services (imap, pop3, lmtp, sieve). */ + { "tls_require_cert", 0, SWITCH } /* Require a client certificate for ALL services (imap, pop3, lmtp, sieve). */ -- Leena Heino University of Tampere / Computer Centre ( liinu at uta.fi ) ( http://www.uta.fi/laitokset/tkk ) ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
