On Thu, 2005-03-17 at 14:36 -0600, Jim Miller wrote: > Hi everyone, > > My apologies if this rambles on abit but I'm very frustrated and can't seem > to figure out what I'm missing. I've setup cyrus-imap 2.2.10 to use openssl > certificates, users can connect and get mail just fine until I set > tls_require_certs: true -- When I do this Outlook users can no longer > connect but Thunderbird users can. > > I would greatly appreciate any suggestions. > > Here's the process I followed to setup my certificates -- I didn't > do -nodes: > openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 1825 > openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM \ > -out tempreq.pem -outform PEM > openssl rsa < tempkey.pem > cyrus_key.pem > openssl ca -in tempreq.pem -out cyrus_crt.pem > > cat cyrus_key.pem cyrus_crt.pem cacert.pem > /var/lib/cyrus/cyrus.pem > > Set this in imapd.conf > tls_ca_file: /var/lib/cyrus/cyrus.pem > tls_cert_file: /var/lib/cyrus/cyrus.pem > tls_key_file: /var/lib/cyrus/cyrus.pem > > > I then distribute the cacert.pem as mailserver.crt and users import it into > IE/Thunderbird w/out problem. > > Next I created a .p12 file from the cyrus_crt.pem for import into > IE/Thunderbird again w/out problems. Here's the process that I use to > generate it. > openssl pkcs12 -export -in cyrus_crt.pem -inkey cyrus_key.pem \ > -name "result of - openssl x509 -noout -in cyrus_crt.pem -subject | sed -e > 's;.*CN=;;' =-e 's;/Em.*;;'" \ > -cname "result of - openssl x509 -noout -n cacert.pem -subject | sed -e > 's;.*CN=;;' -e 's;Em.*;;'" \ > -out mailserver.p12 > > Here's the output from SSLDUMP for Outlook > New TCP connection #4: > 4 1 0.0006 (0.0006) C>S SSLv2 compatible client hello > Version 3.1 > cipher suites > TLS_RSA_WITH_RC4_128_MD5 > TLS_RSA_WITH_RC4_128_SHA > TLS_RSA_WITH_3DES_EDE_CBC_SHA > SSL2_CK_RC4 > SSL2_CK_3DES > SSL2_CK_RC2 > TLS_RSA_WITH_DES_CBC_SHA > SSL2_CK_DES > TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > TLS_RSA_EXPORT_WITH_RC4_40_MD5 > TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 > SSL2_CK_RC4_EXPORT40 > SSL2_CK_RC2_EXPORT40 > 4 2 0.3764 (0.3757) S>C Handshake > ServerHello > Version 3.1 > session_id[32]= > xx 44 xx b4 xx 11 xx ee xx 7b xx a2 xx f7 xx f3 > 5c xx da xx a3 xx 21 xx 6a xx 25 xx 62 xx 9a xx > cipherSuite TLS_RSA_WITH_RC4_128_MD5 > compressionMethod NULL > 4 3 0.3765 (0.0000) S>C Handshake > Certificate > 4 4 0.3765 (0.0000) S>C Handshake > CertificateRequest > certificate_types rsa_sign > certificate_types dss_sign > certificate_authority > LINES removed > 53 69 6d 75 xx 72 6f 6e 69 63 xx 20 43 6f 72 70 > 63 73 2e 63 6f 6d ServerHelloDone > 4 5 0.3794 (0.0029) C>S Handshake > Certificate > ClientKeyExchange > 4 6 0.3794 (0.0000) C>S ChangeCipherSpec > 4 7 0.3794 (0.0000) C>S Handshake > 4 8 0.3798 (0.0004) S>C Alert > level fatal > value handshake_failure > 4 0.3802 (0.0004) C>S TCP FIN > > > > Here's the output for Thunderbird w/SSLDUMP: > New TCP connection #1: > 1 1 0.0008 (0.0008) C>S SSLv2 compatible client hello > Version 3.1 > cipher suites > SSL2_CK_RC4 > SSL2_CK_RC2 > SSL2_CK_3DES > SSL2_CK_DES > SSL2_CK_RC4_EXPORT40 > SSL2_CK_RC2_EXPORT40 > Unknown value 0x39 > Unknown value 0x38 > Unknown value 0x35 > Unknown value 0x33 > Unknown value 0x32 > TLS_RSA_WITH_RC4_128_MD5 > TLS_RSA_WITH_RC4_128_SHA > Unknown value 0x2f > TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA > TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA > Unknown value 0xfeff > TLS_RSA_WITH_3DES_EDE_CBC_SHA > TLS_DHE_RSA_WITH_DES_CBC_SHA > TLS_DHE_DSS_WITH_DES_CBC_SHA > Unknown value 0xfefe > TLS_RSA_WITH_DES_CBC_SHA > TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > TLS_RSA_EXPORT_WITH_RC4_40_MD5 > TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 > 1 2 0.0053 (0.0045) S>C Handshake > ServerHello > Version 3.1 > session_id[32]= > xx 74 xx 33 xx cc xx 49 xx 3e xx c0 bd xx 0b xx > a8 xx 5f xx 7d xx b1 xx 79 be 3b xx 2a 69 f0 9d > cipherSuite TLS_RSA_WITH_RC4_128_MD5 > compressionMethod NULL > 1 3 0.0054 (0.0000) S>C Handshake > Certificate > 1 4 0.0054 (0.0000) S>C Handshake > CertificateRequest > certificate_types rsa_sign > certificate_types dss_sign > certificate_authority > LINES removed > 53 69 6d 75 xx 72 6f 6e 69 63 xx 20 43 6f 72 70 > 63 73 2e 63 6f 6d > ServerHelloDone > 1 5 0.1347 (0.1293) C>S Handshake > Certificate > ClientKeyExchange > CertificateVerify > Signature[256]= > LINES removed > 53 69 6d 75 xx 72 6f 6e 69 63 xx 20 43 6f 72 70 > 63 73 2e 63 6f 6d 1 6 0.1347 (0.0000) C>S ChangeCipherSpec > 1 7 0.1347 (0.0000) C>S Handshake > 1 8 0.1563 (0.0215) S>C ChangeCipherSpec > 1 9 0.1563 (0.0000) S>C Handshake > 1 10 0.3315 (0.1752) S>C application_data > 1 11 0.4106 (0.0790) C>S application_data > 1 12 0.4108 (0.0002) S>C application_data ----- not arguing with anything that you've done but this is how I've gone about it...
openssl genrsa -des3 -out ca.key 2048 openssl req -config /usr/share/ssl/openssl.cnf -new -x509 \ -days 3650 -key ca.key -out ca.cert openssl req -config /usr/share/ssl/openssl.cnf -new -x509 -nodes \ -out /etc/ssl/cyrus-global.pem -keyout /etc/ssl/cyrus-global.pem \ -days 3650 openssl gendh 512 >> /etc/ssl/cyrus-global.pem openssl x509 -in /etc/ssl/cyrus-global.pem -out /etc/ssl/cacert.crt Then I copy cacert.crt to a web server and let users 'INSTALL CERTIFICATE' from this file (cacert.crt). and then in imapd.conf tls_cert_file: /etc/ssl/cyrus-global.pem tls_key_file: /etc/ssl/cyrus-global.pem tls_ca_file: /etc/ssl/ca.cert I haven't a clue really what I am doing but it seems to work with the only problem is that entries in subjectAltName don't seem to work for Outlook clients. I probably need to generate specific certs for each cn but haven't gotten around to that yet. YMMV ps - I used this info... <http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/SSL-Certificates- HOWTO> Craig --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html