Re: [Courier-imap] Certificate Authentication - Check for revocation?
Brought to you by:
mrsam
From: Lenz W. <ma...@le...> - 2015-07-24 19:06:22
|
Hi Thomas, those bug reports read to me like TLS in general is disabled with certain OpenSSL libraries. As everything else (including STARTTLS and TLS) is working just fine, I guess it's just some misconfiguration and nothing with thunderbird. Thanks for the input, Lenz Am 24.07.2015 um 07:35 schrieb Thomas Barth: > Hello Lenz, which version of Thunderbird are you using? > Thunderbird 38.1.0 for Windows and Thunderbird 37.8.0 for Linux > (Ubuntu) are not compatible anymore to some POP3/IMAP Server when > using SSL/TLS security. > > https://bugzilla.mozilla.org/show_bug.cgi?id=1183650 > https://www.thunderbird-mail.de/index.php/Thread/70861-Verbindungssich erheit-STARTTLS-funktioniert-seit-TB-38-1-0-nicht-mehr > > > > > In Ubuntu I switched to the eMail-Client Evolution and in Windows > I reinstalled Thunderbird 38.0.1 and disabled the automatic update > function. > > > > Am 24.07.2015 um 00:11 schrieb Lenz Weber: Hi Sam, I'm trying to > get this running, but I fear I won't get any furter without your > feedback. Logging in with a certificate just doesn't work. :( > > I have created a CA certificate and a client certificate. The CA > has signed itself and the client: > >>>> openssl verify -verbose -CAfile courier-ca.crt *.crt >>>> courier-ca.crt: OK te...@le...t: OK > my userdb contains a line for that login and I have run > makeuserdb. > >>>> te...@le... >>>> mail=/var/vmail/lenzw.de/mail/|uid=5000|gid=5000 > > imapd is configured accordingly: (the certificate exists and has > world-read permissions) > >>>> TLS_TRUSTCERTS=/etc/ssl/certs/mail-ca.crt TLS_VERIFYPEER=PEER >>>> TLS_EXTERNAL=emailaddress > I tested connecting on port 143 with STARTTLS as well as port 993. > >>>> openssl s_client -connect umask.pw:993 -cert >>>> te...@le...t -key > te...@le...y >>>> ... Acceptable client certificate CA names > /C=DE/ST=Some-State/O=Internet Widgits Pty Ltd/CN=mail.fw.umask.pw >>>> Client Certificate Types: RSA sign, DSA sign, ECDSA sign >>>> Requested Signature Algorithms: > RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384: RS > > > > > A+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+ > SHA1:DSA+SHA1:ECDSA+SHA1 >>>> Shared Requested Signature Algorithms: > RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384: RS > > > > > A+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+ > SHA1:DSA+SHA1:ECDSA+SHA1 >>>> ... > So the cert I am using should work okay: > >>>> Signature Algorithm: sha256WithRSAEncryption Issuer: C=DE, >>>> ST=Some-State, O=Internet Widgits Pty Ltd, > CN=mail.fw.umask.pw >>>> Validity Not Before: Jul 23 21:10:50 2015 GMT Not After : >>>> Aug 1 21:10:50 2016 GMT Subject: C=DE, ST=Some-State, >>>> O=Internet Widgits Pty Ltd, > CN=mail.fw.umask.pw/emailAddress=te...@le... > > When I try to login with Thunderbird, it lets me choose my > key+certificate, but login doesn't work: > >>>> 1196[129a4bc0]: try to log in 1196[129a4bc0]: IMAP auth: >>>> server caps 0x204c3325, pref 0x20000000, > failed 0x0, avail caps 0x20000000 >>>> 1196[129a4bc0]: (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = > 0x100000, MSN = 0x200000, PLAIN = 0x1000, LOGIN = 0x2, old-style > IMAP login = 0x4, auth external IMAP login = 0x20000000, OAUTH2 = > 0x800000000) >>>> 1196[129a4bc0]: trying auth method 0x20000000 >>>> 1196[129a4bc0]: IMAP: trying auth method 0x20000000 >>>> 1196[129a4bc0]: 13ba0800:umask.pw:NA:SendData: 3 >>>> authenticate > EXTERNAL dGVzdEBsZW56dy5kZQ== >>>> 1196[129a4bc0]: ReadNextLine [stream=18445650 nb=20 >>>> needmore=0] 1196[129a4bc0]: >>>> 13ba0800:umask.pw:NA:CreateNewLineFromSocket: 3 NO > Login failed. >>>> 1196[129a4bc0]: authlogin failed > Unfortunately, I don't get much more information from Courier: > >>>> Jul 23 23:58:03 localhost imapd-ssl: Connection, >>>> ip=[::ffff:...] Jul 23 23:58:06 localhost imapd-ssl: LOGIN >>>> FAILED, method=EXTERNAL, > ip=[::ffff:...] >>>> Jul 23 23:58:12 localhost imapd-ssl: Disconnected, >>>> ip=[::ffff:...], > time=9, starttls=1 > > Are there any more logging options in COURIER that I can enable? > This mode seems to bypass authdaemon and I haven't find any log > level options besides authdaemon. > > Sorry for the long mail and thank you for reading it, Lenz > > > > Am 22.07.2015 um 14:21 schrieb Sam Varshavchik: >>>> Sam Varshavchik writes: >>>> >>>>> Lenz Weber writes: >>>>> >>>>>> Hi, sorry, but I have not found any documentation on >>>>>> this: >>>>>> >>>>>> I see that I can add a CA certificate to TLS_TRUSTCERTS >>>>>> and then set TLS_VERIFYPEER to PEER to enable certificate >>>>>> authentication. >>>>>> >>>>>> But with just that setup, if one client key is >>>>>> compromised, I have to change the complete CA. Is there >>>>>> a way to revoke a single certificate? >>>>> Nope. There is no support for revocation lists at this >>>>> time. >>>> Note, though, that you can achieve pretty much the same >>>> thing via authentication. >>>> >>>> Client certificates work by having the code fish out the >>>> emailAddress attribute from the client's certificate and >>>> using it to log in. So, to effectively revoke the >>>> certificate, remove the login, and create another one, with >>>> a new certificate. >>>> >>>> Even with /etc/passwd, you can have two entries in >>>> /etc/passwd with different login names, but same userid, >>>> groupid, and home directory. One is the public email >>>> address, the second one is for logging in. To effectively >>>> revoke a cert, the second one is removed, and replaced. So, >>>> one would have <us...@ex...> as their public email >>>> address, and their certificate reads <mb...@ex...>, >>>> which logs into this mailbox. Left to its own devices, mail >>>> to either address would end up in the same mailbox, but so >>>> what. To "remove" the certificate, the <mb...@ex...> >>>> login gets deleted, and replaced with <mb...@ex...>, >>>> the public email address is unaffected. >>>> >>>> >>>> ------------------------------------------------------------------- --- > >>>> >>>> >>>> >>>> -------- >>>> > Don't Limit Your Business. Reach for the Cloud. >>>> GigeNET's Cloud Solutions provide you with the tools and >>>> support that you need to offload your IT needs and focus on >>>> growing your business. Configured For All Businesses. Start >>>> Your Cloud Today. https://www.gigenetcloud.com/ >>>> >>>> >>>> >>>> _______________________________________________ Courier-imap >>>> mailing list Cou...@li... Unsubscribe: >>>> https://lists.sourceforge.net/lists/listinfo/courier-imap >>>> >> >> --------------------------------------------------------------------- --------- >> >> >> >> >> _______________________________________________ >> Courier-imap mailing list Cou...@li... >> Unsubscribe: >> https://lists.sourceforge.net/lists/listinfo/courier-imap > > > ---------------------------------------------------------------------- -------- > > > > > _______________________________________________ > Courier-imap mailing list Cou...@li... > Unsubscribe: > https://lists.sourceforge.net/lists/listinfo/courier-imap > |