Re: tls_ca_path and tls_ca_file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leena Heino schrieb: Hello Leena, >> Somewhere in bugzilla.mozilla.org is a feature request >> from me asking for that feature. >> But it was turned down in favor of a planned general overhaul >> of the authentication framework >> (from which I also never heard again...) > > I've locally implemented a config switch tls_request_cert, which turns > off client certificate request in tls. This was because older Eudora > versions would hang if tls was used and client certificate was requested. You may look in the bugzilla entry 2642 (https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2642) There is a first patch from me that allows greater control on the client authentication request generation. The patch is against 2.2.12 and may need some polishing. So if you are interested, have a look... Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFLsI32iGqZUF3qPYRAhG9AJ9fEvPL8um2PoP/BvuMhZyFXTp6DgCeO/q7 jgNuAaz6dBowqvHhNX5jwv8= =Qw+7 -END PGP SIGNATURE- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: tls_ca_path and tls_ca_file
Somewhere in bugzilla.mozilla.org is a feature request from me asking for that feature. But it was turned down in favor of a planned general overhaul of the authentication framework (from which I also never heard again...) I've locally implemented a config switch tls_request_cert, which turns off client certificate request in tls. This was because older Eudora versions would hang if tls was used and client certificate was requested. -- Leena Heino University of Tampere / Computer Centre ( liinu at uta.fi ) ( http://www.uta.fi/laitokset/tkk ) Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: tls_ca_path and tls_ca_file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Benzing schrieb: > Hello Goetz, Hello Andreas, > After some more research I finally found out that Thunderbird should not > yet try to authenticate with certs anyway. The whole thing is not > completely implemented but cannot be switched off, except for having > TBird ask for which cert to use every time and then "cancel". Authentication with client certs works in thunderbird (at least according to some tests I did some time back...) But if authentication with client certs succeeds, it should use the IMAP authentication method EXTERNAL and not ask again for a pass phrase... Somewhere in bugzilla.mozilla.org is a feature request from me asking for that feature. But it was turned down in favor of a planned general overhaul of the authentication framework (from which I also never heard again...) Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFLVRn2iGqZUF3qPYRAk/cAKCB5U+QYc98HTkVBQv5fLi/+wKWqgCdGrzj 9vW+7dPiIE3HyrePx3GrdMw= =Ay/u -END PGP SIGNATURE- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: tls_ca_path and tls_ca_file
Hello Goetz, Goetz Babin-Ebell wrote: Andreas Benzing schrieb: Hello once more, Hello Andreas, Goetz Babin-Ebell wrote: Andreas Benzing schrieb: the tls_ca_path directory is used in certificate verification: of the issuer dn of the cert to verify is a checksum calculated, this 32 bit value is used as an file name in tls_ca_path to load the CA certificate. Now this and the hint with c_rehash makes things clearer. I didn't know that cyrus is only looking for specific filenames. So it works now =) the 32 Bit hash is the only way to determine the file name from the subject / issuer DN... Which takes me to the next question that may be in the wrong place here: I only came to this problem because when connecting with thunderbird there was an error establishing an encrypted connection. After investigating the logfiles I found that the server could not verify a cert I wanted to use with thunderbird to sign messages. Now the question is: Why did thunderbird try to authenticate with the cert when my server (with the old config) did not have any CA certs at all? Accepting client authentication without providing the list of acceptable CA certificates is a misconfiguration that is not common but happens. My knowledge of the TLS specification is not that deep to know how the client and sever SHOULD act in this situation, but some clients pick a client certificate and send it to the server. OpenSSL allows this misconfiguration but requires that the client certificate is verified by callbacks provided by the user of the library. To make it clear: Server: "I accept client certificate but won't tell you which CAs I trust" Client: "OK, let's try this one..." Server: "Sorry, I don't know your issuer." After some more research I finally found out that Thunderbird should not yet try to authenticate with certs anyway. The whole thing is not completely implemented but cannot be switched off, except for having TBird ask for which cert to use every time and then "cancel". THX for your help Andreas smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: tls_ca_path and tls_ca_file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Benzing schrieb: > Hello once more, Hello Andreas, > Goetz Babin-Ebell wrote: >> Andreas Benzing schrieb: >> >> the tls_ca_path directory is used in certificate verification: >> of the issuer dn of the cert to verify is a checksum calculated, >> this 32 bit value is used as an file name in tls_ca_path to load >> the CA certificate. > > Now this and the hint with c_rehash makes things clearer. I didn't know > that cyrus is only looking for specific filenames. So it works now =) the 32 Bit hash is the only way to determine the file name from the subject / issuer DN... > Which takes me to the next question that may be in the wrong place here: > I only came to this problem because when connecting with thunderbird > there was an error establishing an encrypted connection. After > investigating the logfiles I found that the server could not verify a > cert I wanted to use with thunderbird to sign messages. > Now the question is: Why did thunderbird try to authenticate with the > cert when my server (with the old config) did not have any CA certs at all? Accepting client authentication without providing the list of acceptable CA certificates is a misconfiguration that is not common but happens. My knowledge of the TLS specification is not that deep to know how the client and sever SHOULD act in this situation, but some clients pick a client certificate and send it to the server. OpenSSL allows this misconfiguration but requires that the client certificate is verified by callbacks provided by the user of the library. To make it clear: Server: "I accept client certificate but won't tell you which CAs I trust" Client: "OK, let's try this one..." Server: "Sorry, I don't know your issuer." Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFLCoE2iGqZUF3qPYRApdVAKCBdoymVE/4RcyYC2sjm7DWMhvqrQCeK6Ci tCfKPLWyb6ifbDlx1O//TBM= =DwhJ -END PGP SIGNATURE- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: tls_ca_path and tls_ca_file
Hello once more, Goetz Babin-Ebell wrote: Andreas Benzing schrieb: Hello, Hello Andreas, could please somebody tell me what tls_ca_path is good for if it is somehow ignored in the config file? For other servers putting the different CA-certs in one directory is enough but cyrus needs an extra file with all of them in a single file. Shouldn't this be the sense of tls_ca_path? Without looking in the cyrus and the openssl code: the tls_ca_path directory is used in certificate verification: of the issuer dn of the cert to verify is a checksum calculated, this 32 bit value is used as an file name in tls_ca_path to load the CA certificate. Now this and the hint with c_rehash makes things clearer. I didn't know that cyrus is only looking for specific filenames. So it works now =) Now the tls_ca_path it is primary useful in client configurations, because you may have a big number of trusted CA certificates. On server side the tls_ca_path is less useful, because for you must have the complete list of CA certifcates you accept before you start a handshake because you send this list (only the subject names) to the client saying him which CA certificates you accept for client authentication. Which takes me to the next question that may be in the wrong place here: I only came to this problem because when connecting with thunderbird there was an error establishing an encrypted connection. After investigating the logfiles I found that the server could not verify a cert I wanted to use with thunderbird to sign messages. Now the question is: Why did thunderbird try to authenticate with the cert when my server (with the old config) did not have any CA certs at all? Andreas Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: tls_ca_path and tls_ca_file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Benzing schrieb: > Hello, Hello Andreas, > could please somebody tell me what tls_ca_path is good for if it is > somehow ignored in the config file? For other servers putting the > different CA-certs in one directory is enough but cyrus needs an extra > file with all of them in a single file. Shouldn't this be the sense of > tls_ca_path? Without looking in the cyrus and the openssl code: the tls_ca_path directory is used in certificate verification: of the issuer dn of the cert to verify is a checksum calculated, this 32 bit value is used as an file name in tls_ca_path to load the CA certificate. This way you don't need beforehand to load all certificates that you may need to verify a peer. On the other hand the certificates in tls_ca_file are loaded before the TLS handshake is done and directly used to verify the peer. (This file is also used to build the servers CA certificate chain that is sent to the client) Now the tls_ca_path it is primary useful in client configurations, because you may have a big number of trusted CA certificates. On server side the tls_ca_path is less useful, because for you must have the complete list of CA certifcates you accept before you start a handshake because you send this list (only the subject names) to the client saying him which CA certificates you accept for client authentication. You can still use it for intermediate CA certificates and CRLs. I don't know how other servers handle the tls_ca_path. Perhaps they iterate over the certificate files in it to build the client list or their client verification code is f*ed up and only seem to work... Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFK/IG2iGqZUF3qPYRAgLiAJ0YDacJ3wH8ZzeeON2KlT2L6h57awCfU2r0 R74oV6cOAPkNOaXGB0EYxgE= =XwoO -END PGP SIGNATURE- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: tls_ca_path and tls_ca_file
On Tuesday 10 October 2006 10:50, Andreas Benzing wrote: > could please somebody tell me what tls_ca_path is good for if it is > somehow ignored in the config file? For other servers putting the > different CA-certs in one directory is enough but cyrus needs an extra > file with all of them in a single file. Shouldn't this be the sense of > tls_ca_path? Are you sure that you don't just have to run c_rehash in the directory with the certs? wt -- Warren Turkal, Research Associate III/Systems Administrator Colorado State University, Dept. of Atmospheric Science Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
tls_ca_path and tls_ca_file
Hello, could please somebody tell me what tls_ca_path is good for if it is somehow ignored in the config file? For other servers putting the different CA-certs in one directory is enough but cyrus needs an extra file with all of them in a single file. Shouldn't this be the sense of tls_ca_path? Best regards, Andreas Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
