On 2013-12-07 10:08, Stefan Gofferje wrote: > On 12/03/2013 09:28 PM, Stefan Gofferje wrote: >> So why does Thunderbird ask me which certificate to use for >> authentication? Does my Cyrus ask for a client certificate or does it >> not? ^^ > > Nobody a clue? It depends. On IMAPS/POP3S ports cyrus never asks for client certs. On the other hand it always asks for them doing STARTTLS. That's caused by the way tls_init_serverengine() is called in imapd.c and pop3d.c. You can either connect to ports 993/995 to prevent the use of client certs or you can completely disable client certs with this patch (still works on 2.4.17): ---------------- # cat SOURCES/cyrus-imapd-2.3.14-disable_clientcerts.patch diff -urN cyrus-imapd-2.3.14.orig/imap/imapd.c cyrus-imapd-2.3.14/imap/imapd.c --- cyrus-imapd-2.3.14.orig/imap/imapd.c 2009-05-06 14:05:17.000000000 +0200 +++ cyrus-imapd-2.3.14/imap/imapd.c 2009-05-06 14:09:48.000000000 +0200 @@ -6764,7 +6764,7 @@ result=tls_init_serverengine("imap", 5, /* depth to verify */ - !imaps, /* can client auth? */ + 0, /* can client auth? */ !imaps); /* TLS only? */ if (result == -1) { diff -urN cyrus-imapd-2.3.14.orig/imap/pop3d.c cyrus-imapd-2.3.14/imap/pop3d.c --- cyrus-imapd-2.3.14.orig/imap/pop3d.c 2009-05-06 14:05:17.000000000 +0200 +++ cyrus-imapd-2.3.14/imap/pop3d.c 2009-05-06 14:10:05.000000000 +0200 @@ -1077,7 +1077,7 @@ result=tls_init_serverengine("pop3", 5, /* depth to verify */ - !pop3s, /* can client auth? */ + 0, /* can client auth? */ !pop3s); /* TLS only? */ if (result == -1) { ------------------- Greetings, Wolfgang -- Wolfgang Breyha <wbreyha@xxxxxxx> | http://www.blafasel.at/ Vienna University Computer Center | Austria ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus