RE: confusion about setting up certificates
On Fri, 2005-03-18 at 10:43 +1300, Roland Pope wrote: - Original Message - From: Jim Miller [EMAIL PROTECTED] My apologies if this rambles on abit but I'm very frustrated and can't seem to figure out what I'm missing. I've setup cyrus-imap 2.2.10 to use openssl certificates, users can connect and get mail just fine until I set tls_require_certs: true -- When I do this Outlook users can no longer connect but Thunderbird users can. Does Outlook support Client certs for IMAp TLS connections? I didn't think it did, which is probably where your problem lies. Certainly there is nowhere in Outlook's config for specifying a client cert to be used for a particular account. sure it does... Tools - Options - Security - Digital ID's - Import it's also integrated with Outlook Express/IE so you can simply Install Certificates with IE Now if you want to tie it to a specific user account, I would presume that you would have to generate a certificate with the cn being the email address of the user. Craig I'm still having trouble will Outlook and connecting with IMAPS to cyrus-imap 2.2.10. when I set 'tls_reqire_cert: true'. However I don't have the problem when I set tls_imap_reqire_cert: true' I guess I don't understand the difference between the two. Could someone please explain the difference between them? # Require a client certificate for ALL services (imap, pop3, lmtp, sieve). # tls_require_cert: true # Require a client certificate for imap ONLY. tls_imap_require_cert: true Thanks, Jim --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: confusion about setting up certificates
Jim Miller wrote: I'm still having trouble will Outlook and connecting with IMAPS to cyrus-imap 2.2.10. when I set 'tls_reqire_cert: true'. However I don't have the problem when I set tls_imap_reqire_cert: true' That's because this second setting is ignored. For settings to apply to specific services, they are _prefixed_ with the service name, so this would be imap_tls_require_cert. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
RE: confusion about setting up certificates
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin P. Fleming Sent: Tuesday, March 29, 2005 10:35 AM Cc: info-cyrus@lists.andrew.cmu.edu Subject: Re: confusion about setting up certificates Jim Miller wrote: I'm still having trouble will Outlook and connecting with IMAPS to cyrus-imap 2.2.10. when I set 'tls_reqire_cert: true'. However I don't have the problem when I set tls_imap_reqire_cert: true' That's because this second setting is ignored. For settings to apply to specific services, they are _prefixed_ with the service name, so this would be imap_tls_require_cert. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html I don't leave BOTH uncommented. I only uncomment one or the other. The problem occurs only when I uncomment 'tls_reqire_cert: true'. Jim --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
RE: confusion about setting up certificates
On Mon, 2005-03-21 at 10:00 -0600, Jim Miller wrote: I would greatly appreciate any suggestions. Here's the process I followed to setup my certificates -- I didn't do -nodes: openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 1825 openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM \ -out tempreq.pem -outform PEM openssl rsa tempkey.pem cyrus_key.pem openssl ca -in tempreq.pem -out cyrus_crt.pem cat cyrus_key.pem cyrus_crt.pem cacert.pem /var/lib/cyrus/cyrus.pem Set this in imapd.conf tls_ca_file: /var/lib/cyrus/cyrus.pem tls_cert_file: /var/lib/cyrus/cyrus.pem tls_key_file: /var/lib/cyrus/cyrus.pem I then distribute the cacert.pem as mailserver.crt and users import it into IE/Thunderbird w/out problem. Next I created a .p12 file from the cyrus_crt.pem for import into IE/Thunderbird again w/out problems. Here's the process that I use to generate it. openssl pkcs12 -export -in cyrus_crt.pem -inkey cyrus_key.pem \ -name result of - openssl x509 -noout -in cyrus_crt.pem -subject | sed -e 's;.*CN=;;' =-e 's;/Em.*;;' \ -cname result of - openssl x509 -noout -n cacert.pem -subject | sed -e 's;.*CN=;;' -e 's;Em.*;;' \ -out mailserver.p12 - not arguing with anything that you've done but this is how I've gone about it... openssl genrsa -des3 -out ca.key 2048 openssl req -config /usr/share/ssl/openssl.cnf -new -x509 \ -days 3650 -key ca.key -out ca.cert openssl req -config /usr/share/ssl/openssl.cnf -new -x509 -nodes \ -out /etc/ssl/cyrus-global.pem -keyout /etc/ssl/cyrus-global.pem \ -days 3650 openssl gendh 512 /etc/ssl/cyrus-global.pem openssl x509 -in /etc/ssl/cyrus-global.pem -out /etc/ssl/cacert.crt Then I copy cacert.crt to a web server and let users 'INSTALL CERTIFICATE' from this file (cacert.crt). and then in imapd.conf tls_cert_file: /etc/ssl/cyrus-global.pem tls_key_file: /etc/ssl/cyrus-global.pem tls_ca_file: /etc/ssl/ca.cert I haven't a clue really what I am doing but it seems to work with the only problem is that entries in subjectAltName don't seem to work for Outlook clients. I probably need to generate specific certs for each cn but haven't gotten around to that yet. YMMV ps - I used this info... http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/SSL-Certificates- HOWTO Sorry for not responding sooner, I've been out of the office for a few days. I appreciate your input Craig. Are you saying you are able to use Outlook (OE, Outlook2000, Outlook 2003) with tls_require_certs: true and the certificates you're using? What are the implications of the tls_require_certs? I must say I'm rather confused as to why Thunderbird has no problems and Outlook does. The problem seems to lie at the Server-to-Client handshake 4 8 0.3798 (0.0004) SC Alert level fatal value handshake_failure yes, I am saying that Outlook users can use the cert created in my fashion. Outlook users are alerted that the cert is from an untrusted CA I make the cacert.crl file available to users via http server If they click on it with IE, they are offered choice to 'save' or 'install' - If they 'install' they are presented with 'Install Certificate' wizard which when completed, will satisfy the issue of 'untrusted CA' If they 'save' it, they would have to then either add it manually from Outlook - Tools - Options - Security - Digital IDs - Add or do similar in Internet Explorer Craig --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
confusion about setting up certificates
Hi everyone, My apologies if this rambles on abit but I'm very frustrated and can't seem to figure out what I'm missing. I've setup cyrus-imap 2.2.10 to use openssl certificates, users can connect and get mail just fine until I set tls_require_certs: true -- When I do this Outlook users can no longer connect but Thunderbird users can. I would greatly appreciate any suggestions. Here's the process I followed to setup my certificates -- I didn't do -nodes: openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 1825 openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM \ -out tempreq.pem -outform PEM openssl rsa tempkey.pem cyrus_key.pem openssl ca -in tempreq.pem -out cyrus_crt.pem cat cyrus_key.pem cyrus_crt.pem cacert.pem /var/lib/cyrus/cyrus.pem Set this in imapd.conf tls_ca_file: /var/lib/cyrus/cyrus.pem tls_cert_file: /var/lib/cyrus/cyrus.pem tls_key_file: /var/lib/cyrus/cyrus.pem I then distribute the cacert.pem as mailserver.crt and users import it into IE/Thunderbird w/out problem. Next I created a .p12 file from the cyrus_crt.pem for import into IE/Thunderbird again w/out problems. Here's the process that I use to generate it. openssl pkcs12 -export -in cyrus_crt.pem -inkey cyrus_key.pem \ -name result of - openssl x509 -noout -in cyrus_crt.pem -subject | sed -e 's;.*CN=;;' =-e 's;/Em.*;;' \ -cname result of - openssl x509 -noout -n cacert.pem -subject | sed -e 's;.*CN=;;' -e 's;Em.*;;' \ -out mailserver.p12 Here's the output from SSLDUMP for Outlook New TCP connection #4: 4 1 0.0006 (0.0006) CS SSLv2 compatible client hello Version 3.1 cipher suites TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA SSL2_CK_RC4 SSL2_CK_3DES SSL2_CK_RC2 TLS_RSA_WITH_DES_CBC_SHA SSL2_CK_DES TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL2_CK_RC4_EXPORT40 SSL2_CK_RC2_EXPORT40 4 2 0.3764 (0.3757) SC Handshake ServerHello Version 3.1 session_id[32]= xx 44 xx b4 xx 11 xx ee xx 7b xx a2 xx f7 xx f3 5c xx da xx a3 xx 21 xx 6a xx 25 xx 62 xx 9a xx cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL 4 3 0.3765 (0.) SC Handshake Certificate 4 4 0.3765 (0.) SC Handshake CertificateRequest certificate_types rsa_sign certificate_types dss_sign certificate_authority LINES removed 53 69 6d 75 xx 72 6f 6e 69 63 xx 20 43 6f 72 70 63 73 2e 63 6f 6d ServerHelloDone 4 5 0.3794 (0.0029) CS Handshake Certificate ClientKeyExchange 4 6 0.3794 (0.) CS ChangeCipherSpec 4 7 0.3794 (0.) CS Handshake 4 8 0.3798 (0.0004) SC Alert level fatal value handshake_failure 40.3802 (0.0004) CS TCP FIN Here's the output for Thunderbird w/SSLDUMP: New TCP connection #1: 1 1 0.0008 (0.0008) CS SSLv2 compatible client hello Version 3.1 cipher suites SSL2_CK_RC4 SSL2_CK_RC2 SSL2_CK_3DES SSL2_CK_DES SSL2_CK_RC4_EXPORT40 SSL2_CK_RC2_EXPORT40 Unknown value 0x39 Unknown value 0x38 Unknown value 0x35 Unknown value 0x33 Unknown value 0x32 TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA Unknown value 0x2f TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA Unknown value 0xfeff TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA Unknown value 0xfefe TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 1 2 0.0053 (0.0045) SC Handshake ServerHello Version 3.1 session_id[32]= xx 74 xx 33 xx cc xx 49 xx 3e xx c0 bd xx 0b xx a8 xx 5f xx 7d xx b1 xx 79 be 3b xx 2a 69 f0 9d cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL 1 3 0.0054 (0.) SC Handshake Certificate 1 4 0.0054 (0.) SC Handshake CertificateRequest certificate_types rsa_sign certificate_types dss_sign certificate_authority LINES removed 53 69 6d 75 xx 72 6f 6e 69 63 xx 20 43 6f 72 70 63 73 2e 63 6f 6d ServerHelloDone 1 5 0.1347 (0.1293) CS Handshake Certificate ClientKeyExchange CertificateVerify Signature[256]= LINES removed 53 69 6d 75 xx 72 6f 6e 69 63 xx 20 43 6f 72 70 63 73 2e 63 6f 6d 1 6 0.1347 (0.) CS ChangeCipherSpec 1 7 0.1347 (0.) CS Handshake 1 8 0.1563 (0.0215) SC ChangeCipherSpec 1 9 0.1563 (0.) SC Handshake 1 10 0.3315 (0.1752) SC application_data 1 11 0.4106 (0.0790) CS
Re: confusion about setting up certificates
- Original Message - From: Jim Miller [EMAIL PROTECTED] My apologies if this rambles on abit but I'm very frustrated and can't seem to figure out what I'm missing. I've setup cyrus-imap 2.2.10 to use openssl certificates, users can connect and get mail just fine until I set tls_require_certs: true -- When I do this Outlook users can no longer connect but Thunderbird users can. Does Outlook support Client certs for IMAp TLS connections? I didn't think it did, which is probably where your problem lies. Certainly there is nowhere in Outlook's config for specifiying a client cert to be used for a particular account. Roland --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: confusion about setting up certificates
On Thu, 2005-03-17 at 14:36 -0600, Jim Miller wrote: Hi everyone, My apologies if this rambles on abit but I'm very frustrated and can't seem to figure out what I'm missing. I've setup cyrus-imap 2.2.10 to use openssl certificates, users can connect and get mail just fine until I set tls_require_certs: true -- When I do this Outlook users can no longer connect but Thunderbird users can. I would greatly appreciate any suggestions. Here's the process I followed to setup my certificates -- I didn't do -nodes: openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 1825 openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM \ -out tempreq.pem -outform PEM openssl rsa tempkey.pem cyrus_key.pem openssl ca -in tempreq.pem -out cyrus_crt.pem cat cyrus_key.pem cyrus_crt.pem cacert.pem /var/lib/cyrus/cyrus.pem Set this in imapd.conf tls_ca_file: /var/lib/cyrus/cyrus.pem tls_cert_file: /var/lib/cyrus/cyrus.pem tls_key_file: /var/lib/cyrus/cyrus.pem I then distribute the cacert.pem as mailserver.crt and users import it into IE/Thunderbird w/out problem. Next I created a .p12 file from the cyrus_crt.pem for import into IE/Thunderbird again w/out problems. Here's the process that I use to generate it. openssl pkcs12 -export -in cyrus_crt.pem -inkey cyrus_key.pem \ -name result of - openssl x509 -noout -in cyrus_crt.pem -subject | sed -e 's;.*CN=;;' =-e 's;/Em.*;;' \ -cname result of - openssl x509 -noout -n cacert.pem -subject | sed -e 's;.*CN=;;' -e 's;Em.*;;' \ -out mailserver.p12 Here's the output from SSLDUMP for Outlook New TCP connection #4: 4 1 0.0006 (0.0006) CS SSLv2 compatible client hello Version 3.1 cipher suites TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA SSL2_CK_RC4 SSL2_CK_3DES SSL2_CK_RC2 TLS_RSA_WITH_DES_CBC_SHA SSL2_CK_DES TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL2_CK_RC4_EXPORT40 SSL2_CK_RC2_EXPORT40 4 2 0.3764 (0.3757) SC Handshake ServerHello Version 3.1 session_id[32]= xx 44 xx b4 xx 11 xx ee xx 7b xx a2 xx f7 xx f3 5c xx da xx a3 xx 21 xx 6a xx 25 xx 62 xx 9a xx cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL 4 3 0.3765 (0.) SC Handshake Certificate 4 4 0.3765 (0.) SC Handshake CertificateRequest certificate_types rsa_sign certificate_types dss_sign certificate_authority LINES removed 53 69 6d 75 xx 72 6f 6e 69 63 xx 20 43 6f 72 70 63 73 2e 63 6f 6d ServerHelloDone 4 5 0.3794 (0.0029) CS Handshake Certificate ClientKeyExchange 4 6 0.3794 (0.) CS ChangeCipherSpec 4 7 0.3794 (0.) CS Handshake 4 8 0.3798 (0.0004) SC Alert level fatal value handshake_failure 40.3802 (0.0004) CS TCP FIN Here's the output for Thunderbird w/SSLDUMP: New TCP connection #1: 1 1 0.0008 (0.0008) CS SSLv2 compatible client hello Version 3.1 cipher suites SSL2_CK_RC4 SSL2_CK_RC2 SSL2_CK_3DES SSL2_CK_DES SSL2_CK_RC4_EXPORT40 SSL2_CK_RC2_EXPORT40 Unknown value 0x39 Unknown value 0x38 Unknown value 0x35 Unknown value 0x33 Unknown value 0x32 TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA Unknown value 0x2f TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA Unknown value 0xfeff TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA Unknown value 0xfefe TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 1 2 0.0053 (0.0045) SC Handshake ServerHello Version 3.1 session_id[32]= xx 74 xx 33 xx cc xx 49 xx 3e xx c0 bd xx 0b xx a8 xx 5f xx 7d xx b1 xx 79 be 3b xx 2a 69 f0 9d cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL 1 3 0.0054 (0.) SC Handshake Certificate 1 4 0.0054 (0.) SC Handshake CertificateRequest certificate_types rsa_sign certificate_types dss_sign certificate_authority LINES removed 53 69 6d 75 xx 72 6f 6e 69 63 xx 20 43 6f 72 70 63 73 2e 63 6f 6d ServerHelloDone 1 5 0.1347 (0.1293) CS Handshake Certificate ClientKeyExchange CertificateVerify Signature[256]= LINES removed 53 69 6d 75 xx 72 6f 6e 69 63 xx 20 43 6f 72 70 63 73 2e 63 6f 6d 1 6 0.1347 (0.) CS ChangeCipherSpec 1