Re: how to configure: turn off SSL_VERIFY_PEER flag for imap/tls
Vladimir Vassiliev wrote: > You can try this: > https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2642 > Thanks. I commented on that issue. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to configure: turn off SSL_VERIFY_PEER flag for imap/tls
On Tue, 4 Aug 2009, Zhang Weiwu wrote:
> Hello.
>
> I am trying to help my users workaround an issue which was described here:
> https://bugzilla.mozilla.org/show_bug.cgi?id=437683
>
> In short, cyrus imapd asked for tls client certificate, while user agent
> thunderbird prompts user to select one. Since our deployment does not
> require client certificate, and users have their email PGP certificate
> installed, whatever PGP certificate user selects must be wrong, thus
> user couldn't establish connection to imap server.
I've used patch like this to patch Cyrus IMAPD:
Add to your imapd.conf:
# Wheter to request client certificate with STARTTLS session.
#
##tls_request_cert: 1
# Wheter to request client certificate with STARTTLS session.
#
imap_tls_request_cert: 0
pop3_tls_request_cert: 0
Patch:
--- imap/tls.c.orig Fri Oct 28 17:51:18 2005
+++ imap/tls.c Thu Mar 2 12:45:28 2006
@@ -580,6 +580,7 @@
const char *s_cert_file;
const char *s_key_file;
intrequirecert;
+intrequestcert;
inttimeout;
if (tls_serverengine)
@@ -684,8 +688,11 @@
SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb);
verify_depth = verifydepth;
-if (askcert!=0)
- verify_flags |= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+if (askcert!=0) {
+ requestcert = config_getswitch(IMAPOPT_TLS_REQUEST_CERT);
+ if (requestcert)
+ verify_flags |= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+}
requirecert = config_getswitch(IMAPOPT_TLS_REQUIRE_CERT);
if (requirecert)
--- lib/imapoptions Wed Feb 1 21:44:06 2006
+++ lib/imapoptions Thu Mar 2 12:45:28 2006
@@ -956,6 +956,9 @@
/* File containing the private key belonging to the server
certificate. A value of "disabled" will disable SSL/TLS. */
+{ "tls_request_cert", 1, SWITCH }
+/* Request a client certificate for ALL services (imap, pop3, lmtp, sieve). */
+
{ "tls_require_cert", 0, SWITCH }
/* Require a client certificate for ALL services (imap, pop3, lmtp, sieve). */
--
Leena Heino University of Tampere / Computer Centre
( liinu at uta.fi ) ( http://www.uta.fi/laitokset/tkk )
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to configure: turn off SSL_VERIFY_PEER flag for imap/tls
You can try this: https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2642 On Вторник 04 августа 2009, Zhang Weiwu wrote: > Hello. > > I am trying to help my users workaround an issue which was described here: > https://bugzilla.mozilla.org/show_bug.cgi?id=437683 > > In short, cyrus imapd asked for tls client certificate, while user agent > thunderbird prompts user to select one. Since our deployment does not > require client certificate, and users have their email PGP certificate > installed, whatever PGP certificate user selects must be wrong, thus > user couldn't establish connection to imap server. > > Workarounds: > >1. Disable TLS on server or client (bad, their email wouldn't be safe > then); >2. Remove PGP certificate for our clients (bad, ditto); >3. Ask users to switch from Thunderbird to Outlook Express (bad, I > feel sicker if they do); >4. Wait for Thunderbird to add an option to allow user to configure > always not offer certificate to TLS server even if asked (bad, > could be years' waiting); >5. Configure cyrus so that it does not turn on SSL_VERIFY_PEER flag > (of openssl), that imapd server do not ask user for client > certificate (the only solution that looks feasible); > > So 4 is the choice. Problem being I couldn't figure out how to configure > it that way. I configured "tls_require_cert: false" which sets > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, which controls if requires the client > to provide the certificate (instead of SSL_VERIFY_PEER which controls if > asks the client to provide the certificate). > > So how do you suggest me handle the situation? Thanks a lot in advance! > -- Vladimir Vassiliev Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
how to configure: turn off SSL_VERIFY_PEER flag for imap/tls
Hello. I am trying to help my users workaround an issue which was described here: https://bugzilla.mozilla.org/show_bug.cgi?id=437683 In short, cyrus imapd asked for tls client certificate, while user agent thunderbird prompts user to select one. Since our deployment does not require client certificate, and users have their email PGP certificate installed, whatever PGP certificate user selects must be wrong, thus user couldn't establish connection to imap server. Workarounds: 1. Disable TLS on server or client (bad, their email wouldn't be safe then); 2. Remove PGP certificate for our clients (bad, ditto); 3. Ask users to switch from Thunderbird to Outlook Express (bad, I feel sicker if they do); 4. Wait for Thunderbird to add an option to allow user to configure always not offer certificate to TLS server even if asked (bad, could be years' waiting); 5. Configure cyrus so that it does not turn on SSL_VERIFY_PEER flag (of openssl), that imapd server do not ask user for client certificate (the only solution that looks feasible); So 4 is the choice. Problem being I couldn't figure out how to configure it that way. I configured "tls_require_cert: false" which sets SSL_VERIFY_FAIL_IF_NO_PEER_CERT, which controls if requires the client to provide the certificate (instead of SSL_VERIFY_PEER which controls if asks the client to provide the certificate). So how do you suggest me handle the situation? Thanks a lot in advance! -- 锐业软服(北京)信息技术有限公司 Real Softservice 邮政编码:100089 北西环中路238号 柏彦大厦406b室 Beisihuan Zhong Road No. 238 Baiyan Building Unit 406B Tel: +86 (10) 8231 8580 http://www.realss.com Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
