Re: c-client support for client certificates?
On Thu, 24 Feb 2005, Kevin P. Fleming wrote: If I implement this, would it be more consistent to make it a callback route that returns a pointer to an allocated chunk of memory (with the caller responsible for freeing), or a parameter where I actually pass in the PEM-encoded string and c-client duplicates it into its own memory? c-client will only need the certificate for a very short time (to make two calls into the SSL library during the context setup), so I don't think it makes sense to keep a copy of it in c-client's memory space... Probably a callback set via mail_parameters() makes more sense for the reasons you state. -- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate. Si vis pacem, para bellum.
Re: c-client support for client certificates?
Mark Crispin wrote: No, c-client does not have any support for SSL client certificates. OK, doesn't seem like it will be too difficult to add, so I'll hack on it. Thanks. The [GS]ET_SSLCERTIFICATEQUERY mail_parameter() callback routine is used to allow the application a chance to decide whether to proceed or abort if the *server* certificate fails validation. Ahh, that explains why it just returns an int result, then. If I implement this, would it be more consistent to make it a callback route that returns a pointer to an allocated chunk of memory (with the caller responsible for freeing), or a parameter where I actually pass in the PEM-encoded string and c-client duplicates it into its own memory? c-client will only need the certificate for a very short time (to make two calls into the SSL library during the context setup), so I don't think it makes sense to keep a copy of it in c-client's memory space...
Re: c-client support for client certificates?
No, c-client does not have any support for SSL client certificates. The [GS]ET_SSLCERTIFICATEQUERY mail_parameter() callback routine is used to allow the application a chance to decide whether to proceed or abort if the *server* certificate fails validation. On Thu, 24 Feb 2005, Kevin P. Fleming wrote: Is there any way currently to get c-client to accept a client certificate (PEM-encoded string representation) and pass it along when OpenSSL asks for it during the TLS negotiation? -- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate. Si vis pacem, para bellum.
c-client support for client certificates?
I'm trying to build up a Horde/IMP installation secured by using SSL certificates on both sides (server and client). I have no trouble using the client cert to authenticate to Horde, and I have no trouble using the client cert to authenticate _directly_ to Cyrus IMAP (which is obviously my IMAP backend). I'm running all this on Linux, using OpenSSL, and the IMAP toolkit was built using "make slx" with SSLTYPE set to unix.nopwd. What I cannot do (yet) is get IMP to pass the certificate it received from Apache along as part of the TLS negotiation when it tries to connect to the IMAP server. IMP uses the PHP imap extension, which in turn uses c-client (and yes, I'm running the latest c-client and PHP). The documentation on c-client is sparse... but I do see a mail_parameter setting for SSLCERTIFICATEQUERY. I cannot find any docs or examples that would show me what this is for, though, so I figured I'd ask here. Is there any way currently to get c-client to accept a client certificate (PEM-encoded string representation) and pass it along when OpenSSL asks for it during the TLS negotiation? -- -- For information about this mailing list, and its archives, see: http://www.washington.edu/imap/c-client-list.html --
