Package: cyrus-admin
Version: 2.4.17+caldav~beta10-18
Severity: normal
I attempted to setup a cyrus imap server that exclusively uses TLS
client certificate authentication (i.e. with sasl_mech_list: EXTERNAL,
tls_require_cert: true, etc.). With imtest, this works fine. However,
when I try to use cyradm, I get:
> gnoutchd@rei:~$ cyradm --tlskey cyrus.pem --server rei.local -u cyrus --auth
> external
> verify error:num=19:self signed certificate in certificate chain
> cyradm: cannot authenticate to server with external as cyrus
> gnoutchd@rei:~$
('cyrus' is declared in imapd.conf as the sole admin user. cyrus.pem
contains a PEM certificate followed by the corresponding private key.
The certificate has commonName set to 'cyrus'. It's signed by my
experimental private CA, and imapd is configured to trust said CA. The
server's certificate is also signed by this private CA, which probably
explains the 'verify error'. Said error does not appear fatal, as
imtest prints it as well.)
Corresponding logs:
> Oct 03 21:42:14 rei cyrus/imap[6904]: accepted connection
> Oct 03 21:42:14 rei cyrus/imap[6904]: SSL_accept() incomplete -> wait
> Oct 03 21:42:14 rei cyrus/imap[6904]: Doing a peer verify
> Oct 03 21:42:14 rei cyrus/imap[6904]: Doing a peer verify
> Oct 03 21:42:14 rei cyrus/imap[6904]: SSL_accept() succeeded -> done
> Oct 03 21:42:14 rei cyrus/imap[6904]: received client certificate
> Oct 03 21:42:14 rei cyrus/imap[6904]: subject=/CN=cyrus
> Oct 03 21:42:14 rei cyrus/imap[6904]: starttls: TLSv1.2 with cipher
> ECDHE-RSA-AES256-SHA (256/256 bits new) authenticated as cyrus
For comparison, here's imtest:
> gnoutchd@rei:~$ imtest -t cyrus.pem -a cyrus -u cyrus rei.local -m external
> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED] rei
> Cyrus IMAP v2.4.17-caldav-beta10-Debian-2.4.17+caldav~beta10-18 server ready
> C: S01 STARTTLS
> S: S01 OK Begin TLS negotiation now
> verify error:num=19:self signed certificate in certificate chain
> TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256
> bits)
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA
> MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN
> QRESYNC SCAN XLIST X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=EXTERNAL SASL-IR
> COMPRESS=DEFLATE IDLE
> S: C01 OK Completed
> C: A01 AUTHENTICATE EXTERNAL Y3lydXM=
> S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA
> MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN
> QRESYNC SCAN XLIST X-REPLICATION URLAUTH URLAUTH=BINARY LOGINDISABLED
> COMPRESS=DEFLATE IDLE] Success (tls protection)
> SESSIONID=<cyrus-6945-1443925428-1>
> Authenticated.
> Security strength factor: 256
> ^CC: Q01 LOGOUT
> Connection closed.
> gnoutchd@rei:~$
And corresponding logs:
> Oct 03 22:23:48 rei cyrus/imap[6945]: accepted connection
> Oct 03 22:23:48 rei cyrus/imap[6945]: SSL_accept() incomplete -> wait
> Oct 03 22:23:48 rei cyrus/imap[6945]: Doing a peer verify
> Oct 03 22:23:48 rei cyrus/imap[6945]: Doing a peer verify
> Oct 03 22:23:48 rei cyrus/imap[6945]: SSL_accept() succeeded -> done
> Oct 03 22:23:48 rei cyrus/imap[6945]: received client certificate
> Oct 03 22:23:48 rei cyrus/imap[6945]: subject=/CN=cyrus
> Oct 03 22:23:48 rei cyrus/imap[6945]: starttls: TLSv1.2 with cipher
> ECDHE-RSA-AES256-SHA (256/256 bits new) authenticated as cy
> Oct 03 22:23:48 rei cyrus/imap[6945]: login: rei.local [10.179.201.75] cyrus
> EXTERNAL+TLS User logged in SESSIONID=<cyrus-6945-
> Oct 03 22:23:50 rei cyrus/imap[6945]: USAGE cyrus user: 0.156000 sys: 0.004000
> Oct 03 22:23:50 rei cyrus/imap[6945]: Connection reset by peer, closing
> connection
I've done some digging with gdb, and I suspect that this is what's happening:
- cyradm perl code calls imclient_starttls()
- After successful TLS negotiation (notwithstanding the unfamiliar
private CA on the server certificate), imclient_starttls() does
sasl_setprop(imclient->saslconn,
SASL_AUTH_EXTERNAL,
auth_id);
with auth_id hardcoded to an empty string. (Nearby comments suggest
this code's unfinished.)
- sasl_setprop notices that the given string is empty and sets
imclient->saslconn->external.auth_id to NULL instead.
- some time later, cyradm perl code calls imclient_authenticate()
- imclient_authenticate() eventually calls external_client_mech_new() to
try EXTERNAL auth.
- external_client_mech_new() notices that external.auth_id is NULL and
bails with SASL_NOMECH
- Since my server will only accept EXTERNAL auth, imclient_starttls()
is forced to bail as well.
-- System Information:
Debian Release: 8.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages cyrus-admin depends on:
ii dpkg 1.17.25
ii libcyrus-imap-perl 2.4.17+caldav~beta10-18
ii perl 5.20.2-3+deb8u1
cyrus-admin recommends no packages.
Versions of packages cyrus-admin suggests:
pn sasl2-bin <none>
-- no debconf information
