On 12/03/2013 08:01 PM, Dan White wrote: >> On 12/03/2013 04:39 PM, Dan White wrote: > This looks successful, from the server's viewpoint. Yesyes, when I click "cancel" when Thunderbird asks which certificate to use, everything goes fine. However, if I *do* tell Thunderbird to use a certificate, the following happens: Dec 3 21:19:50 home imap[17566]: executed Dec 3 21:19:50 home imap[17566]: accepted connection Dec 3 21:19:50 home imap[17567]: executed Dec 3 21:19:50 home imap[17567]: accepted connection Dec 3 21:19:50 home imap[17568]: executed Dec 3 21:19:50 home imap[17568]: accepted connection Dec 3 21:19:58 home imap[17568]: DBMSG: 20 lockers Dec 3 21:19:58 home imap[17568]: TLS server engine: cannot load CA data Dec 3 21:19:58 home imap[17566]: TLS server engine: cannot load CA data Dec 3 21:19:58 home imap[17566]: imapd:Loading hard-coded DH parameters Dec 3 21:19:58 home imap[17568]: imapd:Loading hard-coded DH parameters Dec 3 21:19:58 home imap[17567]: TLS server engine: cannot load CA data Dec 3 21:19:58 home imap[17567]: imapd:Loading hard-coded DH parameters Dec 3 21:19:58 home imap[17566]: SSL_accept() incomplete -> wait Dec 3 21:19:58 home imap[17568]: SSL_accept() incomplete -> wait Dec 3 21:19:58 home imap[17567]: SSL_accept() incomplete -> wait Dec 3 21:20:11 home imap[20102]: fetching user_deny.db entry for 'xxxxxxxx' Dec 3 21:20:11 home imap[20104]: fetching user_deny.db entry for 'xxxxxxxx' Dec 3 21:20:11 home imap[17566]: Doing a peer verify Dec 3 21:20:11 home imap[17566]: verify error:num=20:unable to get local issuer certificate Dec 3 21:20:11 home imap[17566]: no certificate returned in SSL_accept() -> fail Dec 3 21:20:11 home imap[17566]: STARTTLS negotiation failed: enterprise.net.loc [xxx.xxx.xxx.xxx] Dec 3 21:20:11 home imap[17566]: Connection reset by peer, closing connection Dec 3 21:20:11 home imap[20104]: fetching user_deny.db entry for 'xxxxxxxx' Dec 3 21:20:11 home imap[20102]: fetching user_deny.db entry for 'xxxxxxxx' Dec 3 21:20:12 home imap[20104]: SQUAT failed to open index file Dec 3 21:20:12 home imap[20104]: SQUAT failed Dec 3 21:20:12 home imap[20104]: fetching user_deny.db entry for 'xxxxxxxx' Dec 3 21:20:12 home imap[20104]: fetching user_deny.db entry for 'xxxxxxxx' Dec 3 21:20:13 home imap[20104]: fetching user_deny.db entry for 'xxxxxxxx' Dec 3 21:20:14 home imap[17567]: Doing a peer verify Dec 3 21:20:14 home imap[17567]: verify error:num=20:unable to get local issuer certificate Dec 3 21:20:14 home imap[17567]: no certificate returned in SSL_accept() -> fail Dec 3 21:20:14 home imap[17567]: STARTTLS negotiation failed: enterprise.net.loc [xxx.xxx.xxx.xxx] Dec 3 21:20:17 home imap[17568]: Doing a peer verify Dec 3 21:20:17 home imap[17568]: verify error:num=20:unable to get local issuer certificate Dec 3 21:20:17 home imap[17568]: no certificate returned in SSL_accept() -> fail Dec 3 21:20:17 home imap[17568]: STARTTLS negotiation failed: enterprise.net.loc [xxx.xxx.xxx.xxx] Dec 3 21:20:17 home imap[17567]: Connection reset by peer, closing connection > imtest -t "" <host> > > will attempt a starttls connection without submitting a client certificate. > If that succeeds, then it proves that your server supports TLS without > client authentication. I know that is does :) - see above... But here is the output: S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE] home.gofferje.net Cyrus IMAP v2.3.16 server ready C: S01 STARTTLS S: S01 OK Begin TLS negotiation now verify error:num=20:unable to get local issuer certificate verify error:num=27:certificate not trusted verify error:num=21:unable to verify the first certificate TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE X-NETSCAPE URLAUTH S: C01 OK Completed Authentication failed. generic failure Security strength factor: 256 So why does Thunderbird ask me which certificate to use for authentication? Does my Cyrus ask for a client certificate or does it not? ^^ -S -- (o_ Stefan Gofferje | SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
