Re: Disable client authentication with certificates

Stefan Gofferje <lists@xxxxxxxxxxxxxxxxx> · Tue, 03 Dec 2013 19:52:06 +0200

On 12/03/2013 04:39 PM, Dan White wrote:
> What log entries do you see during TLS authentication?

Dec  3 19:13:10 home imap[17224]: SSL_accept() succeeded -> done
Dec  3 19:13:10 home imap[17224]: starttls: TLSv1 with cipher
DHE-RSA-CAMELLIA256-SHA (256/256 bits new) no authentication
Dec  3 19:13:10 home imap[17224]: fetching user_deny.db entry for 'xxxxxxxx'
Dec  3 19:13:10 home imap[17224]: login: enterprise.net.loc
[xxx.xxx.xxx.xxx] xxxxxxxx plain+TLS User logged in
Dec  3 19:13:10 home imap[17224]: fetching user_deny.db entry for 'xxxxxxxx'
Dec  3 19:13:10 home imap[17224]: created decompress buffer of 4102 bytes
Dec  3 19:13:10 home imap[17224]: created compress buffer of 4102 bytes
Dec  3 19:13:10 home imap[17224]: fetching user_deny.db entry for 'xxxxxxxx'
Dec  3 19:13:10 home imap[17224]: client id: "name" "Thunderbird"
"version" "24.1.0"
Dec  3 19:13:10 home imap[17224]: fetching user_deny.db entry for 'xxxxxxxx'
Dec  3 19:13:10 home imap[17224]: fetching user_deny.db entry for 'xxxxxxxx'
Dec  3 19:13:10 home imap[17224]: fetching user_deny.db entry for 'xxxxxxxx'
Dec  3 19:13:10 home imap[17225]: fetching user_deny.db entry for 'xxxxxxxx'
Dec  3 19:13:10 home imap[17225]: seen_db: user xxxxxxxx opened
/var/lib/imap/user/s/xxxxxxxx.seen
Dec  3 19:13:10 home imap[17224]: fetching user_deny.db entry for 'xxxxxxxx'
Dec  3 19:13:10 home imap[17224]: fetching user_deny.db entry for 'xxxxxxxx'
Dec  3 19:13:10 home imap[17224]: seen_db: user xxxxxxxx opened
/var/lib/imap/user/s/sgofferj.seen
Dec  3 19:13:10 home imap[17225]: open: user xxxxxxxx opened INBOX
Dec  3 19:13:10 home imap[17225]: fetching user_deny.db entry for 'xxxxxxxx'

> Verify that this is a server side problem with imtest.

Unfortunately, I don't know how to use imtest, nor do I speak IMAP
fluently so I could test with netcat...

On my Android, I use K9-mail and that does not ask which client
certificate to use but it could be that K9 doesn't support certificate
authentication anyway plus I don't have any client certificates
installed there...

-S

-- 
 (o_   Stefan Gofferje            | SCLT, MCP, CCSA
 //\   Reg'd Linux User #247167   | VCP #2263
 V_/_  Heckler & Koch - the original point and click interface

Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus