Re: [Courier-imap] Certificate Authentication - Check for revocation?
Brought to you by:
mrsam
From: Thomas B. <tb...@tx...> - 2015-07-24 20:22:51
|
Hi Lenz, I found a solution to my problem. I had to increase the Diffie Hellman Parameter for Courier, because the standard size is still 768 bit created with mkdhparams on a debian system. mv /etc/courier/dhparams.pem /etc/courier/dhparams.pem.backup openssl dhparam -out /etc/courier/dhparams.pem 2048 make permission right of file dhparams.pem same as the old one restart imap-ssl In the future debians offers a patch, so that mkdhparams create dhparameters with higher bit size. Thomas Barth Am 24.07.2015 um 18:38 schrieb Lenz Weber: > Hi Thomas, > those bug reports read to me like TLS in general is disabled with > certain OpenSSL libraries. > As everything else (including STARTTLS and TLS) is working just fine, > I guess it's just some misconfiguration and nothing with thunderbird. > > Thanks for the input, > Lenz > > Am 24.07.2015 um 07:35 schrieb Thomas Barth: >> Hello Lenz, which version of Thunderbird are you using? >> Thunderbird 38.1.0 for Windows and Thunderbird 37.8.0 for Linux >> (Ubuntu) are not compatible anymore to some POP3/IMAP Server when >> using SSL/TLS security. >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=1183650 >> https://www.thunderbird-mail.de/index.php/Thread/70861-Verbindungssich > erheit-STARTTLS-funktioniert-seit-TB-38-1-0-nicht-mehr >> >> >> > In Ubuntu I switched to the eMail-Client Evolution and in Windows >> I reinstalled Thunderbird 38.0.1 and disabled the automatic update >> function. >> >> >> >> Am 24.07.2015 um 00:11 schrieb Lenz Weber: Hi Sam, I'm trying to >> get this running, but I fear I won't get any furter without your >> feedback. Logging in with a certificate just doesn't work. :( >> >> I have created a CA certificate and a client certificate. The CA >> has signed itself and the client: >> >>>>> openssl verify -verbose -CAfile courier-ca.crt *.crt >>>>> courier-ca.crt: OK...@le...t: OK >> my userdb contains a line for that login and I have run >> makeuserdb. >> >>>>> te...@le... >>>>> mail=/var/vmail/lenzw.de/mail/|uid=5000|gid=5000 >> imapd is configured accordingly: (the certificate exists and has >> world-read permissions) >> >>>>> TLS_TRUSTCERTS=/etc/ssl/certs/mail-ca.crt TLS_VERIFYPEER=PEER >>>>> TLS_EXTERNAL=emailaddress >> I tested connecting on port 143 with STARTTLS as well as port 993. >> >>>>> openssl s_client -connect umask.pw:993 -cert >>>>> te...@le...t -key >> te...@le...y >>>>> ... Acceptable client certificate CA names >> /C=DE/ST=Some-State/O=Internet Widgits Pty Ltd/CN=mail.fw.umask.pw >>>>> Client Certificate Types: RSA sign, DSA sign, ECDSA sign >>>>> Requested Signature Algorithms: >> RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384: > RS >> >> >> > A+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+ >> SHA1:DSA+SHA1:ECDSA+SHA1 >>>>> Shared Requested Signature Algorithms: >> RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384: > RS >> >> >> > A+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+ >> SHA1:DSA+SHA1:ECDSA+SHA1 >>>>> ... >> So the cert I am using should work okay: >> >>>>> Signature Algorithm: sha256WithRSAEncryption Issuer: C=DE, >>>>> ST=Some-State, O=Internet Widgits Pty Ltd, >> CN=mail.fw.umask.pw >>>>> Validity Not Before: Jul 23 21:10:50 2015 GMT Not After : >>>>> Aug 1 21:10:50 2016 GMT Subject: C=DE, ST=Some-State, >>>>> O=Internet Widgits Pty Ltd, >> CN=mail.fw.umask.pw/emailAddress=te...@le... >> >> When I try to login with Thunderbird, it lets me choose my >> key+certificate, but login doesn't work: >> >>>>> 1196[129a4bc0]: try to log in 1196[129a4bc0]: IMAP auth: >>>>> server caps 0x204c3325, pref 0x20000000, >> failed 0x0, avail caps 0x20000000 >>>>> 1196[129a4bc0]: (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = >> 0x100000, MSN = 0x200000, PLAIN = 0x1000, LOGIN = 0x2, old-style >> IMAP login = 0x4, auth external IMAP login = 0x20000000, OAUTH2 = >> 0x800000000) >>>>> 1196[129a4bc0]: trying auth method 0x20000000 >>>>> 1196[129a4bc0]: IMAP: trying auth method 0x20000000 >>>>> 1196[129a4bc0]: 13ba0800:umask.pw:NA:SendData: 3 >>>>> authenticate >> EXTERNAL dGVzdEBsZW56dy5kZQ== >>>>> 1196[129a4bc0]: ReadNextLine [stream=18445650 nb=20 >>>>> needmore=0] 1196[129a4bc0]: >>>>> 13ba0800:umask.pw:NA:CreateNewLineFromSocket: 3 NO >> Login failed. >>>>> 1196[129a4bc0]: authlogin failed >> Unfortunately, I don't get much more information from Courier: >> >>>>> Jul 23 23:58:03 localhost imapd-ssl: Connection, >>>>> ip=[::ffff:...] Jul 23 23:58:06 localhost imapd-ssl: LOGIN >>>>> FAILED, method=EXTERNAL, >> ip=[::ffff:...] >>>>> Jul 23 23:58:12 localhost imapd-ssl: Disconnected, >>>>> ip=[::ffff:...], >> time=9, starttls=1 >> >> Are there any more logging options in COURIER that I can enable? >> This mode seems to bypass authdaemon and I haven't find any log >> level options besides authdaemon. >> >> Sorry for the long mail and thank you for reading it, Lenz >> >> >> >> Am 22.07.2015 um 14:21 schrieb Sam Varshavchik: >>>>> Sam Varshavchik writes: >>>>> >>>>>> Lenz Weber writes: >>>>>> >>>>>>> Hi, sorry, but I have not found any documentation on >>>>>>> this: >>>>>>> >>>>>>> I see that I can add a CA certificate to TLS_TRUSTCERTS >>>>>>> and then set TLS_VERIFYPEER to PEER to enable certificate >>>>>>> authentication. >>>>>>> >>>>>>> But with just that setup, if one client key is >>>>>>> compromised, I have to change the complete CA. Is there >>>>>>> a way to revoke a single certificate? >>>>>> Nope. There is no support for revocation lists at this >>>>>> time. >>>>> Note, though, that you can achieve pretty much the same >>>>> thing via authentication. >>>>> >>>>> Client certificates work by having the code fish out the >>>>> emailAddress attribute from the client's certificate and >>>>> using it to log in. So, to effectively revoke the >>>>> certificate, remove the login, and create another one, with >>>>> a new certificate. >>>>> >>>>> Even with /etc/passwd, you can have two entries in >>>>> /etc/passwd with different login names, but same userid, >>>>> groupid, and home directory. One is the public email >>>>> address, the second one is for logging in. To effectively >>>>> revoke a cert, the second one is removed, and replaced. So, >>>>> one would have<us...@ex...> as their public email >>>>> address, and their certificate reads<mb...@ex...>, >>>>> which logs into this mailbox. Left to its own devices, mail >>>>> to either address would end up in the same mailbox, but so >>>>> what. To "remove" the certificate, the<mb...@ex...> >>>>> login gets deleted, and replaced with<mb...@ex...>, >>>>> the public email address is unaffected. >>>>> >>>>> >>>>> ------------------------------------------------------------------- > --- >>>>> >>>>> > -------- >> Don't Limit Your Business. Reach for the Cloud. >>>>> GigeNET's Cloud Solutions provide you with the tools and >>>>> support that you need to offload your IT needs and focus on >>>>> growing your business. Configured For All Businesses. Start >>>>> Your Cloud Today.https://www.gigenetcloud.com/ >>>>> >>>>> >>>>> >>>>> _______________________________________________ Courier-imap >>>>> mailing lis...@li... Unsubscribe: >>>>> https://lists.sourceforge.net/lists/listinfo/courier-imap >>>>> >>> --------------------------------------------------------------------- > --------- >>> >>> >>> > _______________________________________________ >>> Courier-imap mailing lis...@li... >>> Unsubscribe: >>> https://lists.sourceforge.net/lists/listinfo/courier-imap >> ---------------------------------------------------------------------- > -------- >> >> >> > _______________________________________________ >> Courier-imap mailing lis...@li... >> Unsubscribe: >> https://lists.sourceforge.net/lists/listinfo/courier-imap >> > ------------------------------------------------------------------------------ > _______________________________________________ > Courier-imap mailing list > Cou...@li... > Unsubscribe:https://lists.sourceforge.net/lists/listinfo/courier-imap |