Re: [Courier-imap] Certificate Authentication - Check for revocation?

Fri, 24 Jul 2015 13:26:25 -0700 

Hi Lenz,
I found a solution to my problem. I had to increase the Diffie Hellman Parameter for Courier, because the standard size is still 768 bit created with mkdhparams on a debian system. 

mv /etc/courier/dhparams.pem /etc/courier/dhparams.pem.backup
openssl dhparam -out /etc/courier/dhparams.pem 2048
make permission right of file dhparams.pem same as the old one
restart imap-ssl


In the future debians offers a patch, so that mkdhparams create 
dhparameters with higher bit size.


Thomas Barth


Am 24.07.2015 um 18:38 schrieb Lenz Weber:

Hi Thomas,
those bug reports read to me like TLS in general is disabled with
certain OpenSSL libraries.
As everything else (including STARTTLS and TLS) is working just fine,
I guess it's just some misconfiguration and nothing with thunderbird.

Thanks for the input,
Lenz

Am 24.07.2015 um 07:35 schrieb Thomas Barth:

Hello Lenz, which version of Thunderbird are you using?
Thunderbird 38.1.0 for Windows and Thunderbird 37.8.0 for Linux
(Ubuntu) are not compatible anymore to some POP3/IMAP Server when
using SSL/TLS security.


https://bugzilla.mozilla.org/show_bug.cgi?id=1183650  
https://www.thunderbird-mail.de/index.php/Thread/70861-Verbindungssich

erheit-STARTTLS-funktioniert-seit-TB-38-1-0-nicht-mehr





In Ubuntu I switched to the eMail-Client Evolution and in Windows

I reinstalled Thunderbird 38.0.1 and disabled the automatic update
function.



Am 24.07.2015 um 00:11 schrieb Lenz Weber: Hi Sam, I'm trying to
get this running, but I fear I won't get any furter without your
feedback. Logging in with a certificate just doesn't work. :(

I have created a CA certificate and a client certificate. The CA
has signed itself and the client:


openssl verify -verbose -CAfile courier-ca.crt *.crt
courier-ca.crt: okt...@lenzw.de.crt: OK

my userdb contains a line for that login and I have run
makeuserdb.


t...@lenzw.de  
mail=/var/vmail/lenzw.de/mail/|uid=5000|gid=5000

imapd is configured accordingly: (the certificate exists and has
world-read permissions)


TLS_TRUSTCERTS=/etc/ssl/certs/mail-ca.crt TLS_VERIFYPEER=PEER
TLS_EXTERNAL=emailaddress

I tested connecting on port 143 with STARTTLS as well as port 993.


openssl s_client -connect umask.pw:993 -cert
t...@lenzw.de.crt  -key

t...@lenzw.de.key

... Acceptable client certificate CA names

/C=DE/ST=Some-State/O=Internet Widgits Pty Ltd/CN=mail.fw.umask.pw

Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms:

RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:

RS





A+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+

SHA1:DSA+SHA1:ECDSA+SHA1

Shared Requested Signature Algorithms:

RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:

RS





A+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+

SHA1:DSA+SHA1:ECDSA+SHA1

...

So the cert I am using should work okay:


Signature Algorithm: sha256WithRSAEncryption Issuer: C=DE,
ST=Some-State, O=Internet Widgits Pty Ltd,

CN=mail.fw.umask.pw

Validity Not Before: Jul 23 21:10:50 2015 GMT Not After :
Aug 1 21:10:50 2016 GMT Subject: C=DE, ST=Some-State,
O=Internet Widgits Pty Ltd,

CN=mail.fw.umask.pw/emailAddress=t...@lenzw.de

When I try to login with Thunderbird, it lets me choose my
key+certificate, but login doesn't work:


1196[129a4bc0]: try to log in 1196[129a4bc0]: IMAP auth:
server caps 0x204c3325, pref 0x20000000,

failed 0x0, avail caps 0x20000000

1196[129a4bc0]: (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM =

0x100000, MSN = 0x200000, PLAIN = 0x1000, LOGIN = 0x2, old-style
IMAP login = 0x4, auth external IMAP login = 0x20000000, OAUTH2 =
0x800000000)

1196[129a4bc0]: trying auth method 0x20000000
1196[129a4bc0]: IMAP: trying auth method 0x20000000
1196[129a4bc0]: 13ba0800:umask.pw:NA:SendData: 3
authenticate

EXTERNAL dGVzdEBsZW56dy5kZQ==

1196[129a4bc0]: ReadNextLine [stream=18445650 nb=20
needmore=0] 1196[129a4bc0]:
13ba0800:umask.pw:NA:CreateNewLineFromSocket: 3 NO

Login failed.

1196[129a4bc0]: authlogin failed

Unfortunately, I don't get much more information from Courier:


Jul 23 23:58:03 localhost imapd-ssl: Connection,
ip=[::ffff:...] Jul 23 23:58:06 localhost imapd-ssl: LOGIN
FAILED, method=EXTERNAL,

ip=[::ffff:...]

Jul 23 23:58:12 localhost imapd-ssl: Disconnected,
ip=[::ffff:...],

time=9, starttls=1

Are there any more logging options in COURIER that I can enable?
This mode seems to bypass authdaemon and I haven't find any log
level options besides authdaemon.

Sorry for the long mail and thank you for reading it, Lenz



Am 22.07.2015 um 14:21 schrieb Sam Varshavchik:

Sam Varshavchik writes:


Lenz Weber writes:


Hi, sorry, but I have not found any documentation on
this:

I see that I can add a CA certificate to  TLS_TRUSTCERTS
and then set TLS_VERIFYPEER to PEER to enable certificate
authentication.

But with just that setup, if one client key is
compromised, I have to change the complete CA. Is there
a way to revoke a single certificate?

Nope. There is no support for revocation lists at this
time.

Note, though, that you can achieve pretty much the same
thing via authentication.

Client certificates work by having the code fish out the
emailAddress attribute from the client's certificate and
using it to log in. So, to effectively revoke the
certificate, remove the login, and create another one, with
a new certificate.

Even with /etc/passwd, you can have two entries in
/etc/passwd with different login names, but same userid,
groupid, and home directory. One is the public email
address, the second one is for logging in. To effectively
revoke a cert, the second one is removed, and replaced. So,
one would have<u...@example.com>  as their public email
address, and their certificate reads<mb2...@example.com>,
which logs into this mailbox. Left to its own devices, mail
to either address would end up in the same mailbox, but so
what. To "remove" the certificate, the<mb2...@example.com>
login gets deleted, and replaced with<mb2...@example.com>,
the public email address is unaffected.


-------------------------------------------------------------------

---




--------

Don't Limit Your Business. Reach for the Cloud.

GigeNET's Cloud Solutions provide you with the tools and
support that you need to offload your IT needs and focus on
growing your business. Configured For All Businesses. Start
Your Cloud Today.https://www.gigenetcloud.com/



_______________________________________________ Courier-imap
  mailing listcourier-i...@lists.sourceforge.net  Unsubscribe:
  https://lists.sourceforge.net/lists/listinfo/courier-imap


---------------------------------------------------------------------

---------





_______________________________________________

Courier-imap mailing listcourier-i...@lists.sourceforge.net  
Unsubscribe:

https://lists.sourceforge.net/lists/listinfo/courier-imap

----------------------------------------------------------------------

--------





_______________________________________________

Courier-imap mailing listcourier-i...@lists.sourceforge.net  
Unsubscribe:

https://lists.sourceforge.net/lists/listinfo/courier-imap


------------------------------------------------------------------------------
_______________________________________________
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe:https://lists.sourceforge.net/lists/listinfo/courier-imap



------------------------------------------------------------------------------

_______________________________________________
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap






















					Reply via email to