For thunderbird clients (2.0.0.19) which has a PGP email certificate
installed and the user choose to use TLS to connect to IMAP server, user
gets a prompt says:
"This site has requested that you identify yourself with a certificate"
and offer user to choose his PGP email certificate, which fails.
Deleting the email certificate fixes the problem but also make user not
able to use email encryption.
Further reading and googling suggests:
1. IMAP server requested the client to offer a client certificate
when it doesn't needs it. This is a server configuration problem;
2. Thunderbird either uses the PGP email certificate to the server,
which fails, or prompt user to choose a certificate where only "cancel"
the choice would work, which is annoying. There is a Thunderbird feature
request 437683 <https://bugzilla.mozilla.org/show_bug.cgi?id=437683> to
configure thunderbird to not offer any client certificate for IMAP
connection.
To solve the problem at the moment I think my only choice is to change
imap server configuration because 437683 is not to be fixed in
thunderbird 3.0 yet.
Question:
1. My server runs cyrus-imapd-2.2.12, is it openssl to be configured
or imapd.conf to be configured?
2. adding "tls_require_cert: false" and restart imapd doesn't change
the behavior. what should I change?
Thanks a lot in advance.
> Question:
>
> 1. My server runs cyrus-imapd-2.2.12, is it openssl to be configured
> or imapd.conf to be configured?
Most likely the latter. OpenSSL is not going to request a client certificate
on its own. It's an option that must be explicitly enabled.
> 2. adding "tls_require_cert: false" and restart imapd doesn't change
> the behavior. what should I change?
Look for a different option in the configuration file. This is a different
option. However keep this specific option set to false, otherwise you won't
be able to establish a connection without providing a certificate, at all.
Thank you very much for the fast reply. I am perhaps dump but looking
through imapd.conf manual I only found this options that are might
relevent:
tls_require_cert: 0
Require a client certificate for ALL services (imap, pop3,
lmtp, sieve).
I also found option "tls_imap_require_cert" by googling, which does not
exist
on my imapd.conf(5) in cyrus-imapd-2.2.12. I added it to imapd.conf
nevertheless, and it doesn't change Thunderbird behaviour neither.
Can you be more specific what option should I tweak? Both options I tried
both "false" and "0" as value.
I don't know. Try asking on the Cyrus mailing list. All I know are the
actual OpenSSL options that are in play here. The SSL_VERIFY_PEER flag
requests a client certificate, and SSL_VERIFY_FAIL_IF_NO_PEER_CERT requires
the client to provide the certificate, otherwise the handshake fails. See
http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
"tls_require_cert" obviously sets SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but you
want the SSL_VERIFY_PEER flag turned off, so that the client is not asked
for a certificate, which is what causes Thunderbird to issue the prompt.
There should be an option you can set in the configuration file that turns
off the first flag.
There is no such option at the moment for cyrus-imapd to fix the issue.
I consulted the Cyrus mailing list, it seems 4 years ago someone posted
a patch to solve the issue by changing an option but never gets accepted
for no reason
https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2642
I guess if someone can push a bit (admins like me frustrated having to
offer extra support for opensource/thunderbird users) this can go to release
cycle, but don't know how to push that.