Re: Disable client authentication with certificates

Dan White <dwhite@xxxxxxx> · Tue, 3 Dec 2013 12:01:14 -0600

On 12/03/13 19:52 +0200, Stefan Gofferje wrote:
>On 12/03/2013 04:39 PM, Dan White wrote:
>> What log entries do you see during TLS authentication?
>
>Dec  3 19:13:10 home imap[17224]: SSL_accept() succeeded -> done
>Dec  3 19:13:10 home imap[17224]: starttls: TLSv1 with cipher
>DHE-RSA-CAMELLIA256-SHA (256/256 bits new) no authentication
>Dec  3 19:13:10 home imap[17224]: fetching user_deny.db entry for 'xxxxxxxx'
>Dec  3 19:13:10 home imap[17224]: login: enterprise.net.loc
>[xxx.xxx.xxx.xxx] xxxxxxxx plain+TLS User logged in

This looks successful, from the server's viewpoint.

>Dec  3 19:13:10 home imap[17224]: fetching user_deny.db entry for 'xxxxxxxx'
>Dec  3 19:13:10 home imap[17224]: created decompress buffer of 4102 bytes
>Dec  3 19:13:10 home imap[17224]: created compress buffer of 4102 bytes
>Dec  3 19:13:10 home imap[17224]: fetching user_deny.db entry for 'xxxxxxxx'
>Dec  3 19:13:10 home imap[17224]: client id: "name" "Thunderbird"
>"version" "24.1.0"
>Dec  3 19:13:10 home imap[17224]: fetching user_deny.db entry for 'xxxxxxxx'
>Dec  3 19:13:10 home imap[17224]: fetching user_deny.db entry for 'xxxxxxxx'
>Dec  3 19:13:10 home imap[17224]: fetching user_deny.db entry for 'xxxxxxxx'
>Dec  3 19:13:10 home imap[17225]: fetching user_deny.db entry for 'xxxxxxxx'
>Dec  3 19:13:10 home imap[17225]: seen_db: user xxxxxxxx opened
>/var/lib/imap/user/s/xxxxxxxx.seen
>Dec  3 19:13:10 home imap[17224]: fetching user_deny.db entry for 'xxxxxxxx'
>Dec  3 19:13:10 home imap[17224]: fetching user_deny.db entry for 'xxxxxxxx'
>Dec  3 19:13:10 home imap[17224]: seen_db: user xxxxxxxx opened
>/var/lib/imap/user/s/sgofferj.seen
>Dec  3 19:13:10 home imap[17225]: open: user xxxxxxxx opened INBOX
>Dec  3 19:13:10 home imap[17225]: fetching user_deny.db entry for 'xxxxxxxx'
>
>> Verify that this is a server side problem with imtest.
>
>Unfortunately, I don't know how to use imtest, nor do I speak IMAP
>fluently so I could test with netcat...

imtest -t "" <host>

will attempt a starttls connection without submitting a client certificate.
If that succeeds, then it proves that your server supports TLS without
client authentication.

See that manpage for other options (e.g. imaps).

>On my Android, I use K9-mail and that does not ask which client
>certificate to use but it could be that K9 doesn't support certificate
>authentication anyway plus I don't have any client certificates
>installed there...

-- 
Dan White
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus