After client authenticated STARTTLS, no EXTERNAL?

Thu, 27 May 2004 02:23:02 -0700 

Hello.  Is it possible to get client authenticated STARTTLS working
with Cyrus IMAPD, without a password login?

I'm assuming EXTERNAL would be used for this, so here is what I put in
imapd.conf:

sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5 EXTERNAL

However, even after successful client auth STARTTLS, the EXTERNAL
mechanism is not available.  Any ideas?

Thanks,
Simon

May 27 10:35:35 yxa-iv cyrus/imap[26577]: executed
May 27 10:35:35 yxa-iv cyrus/imapd[26577]: accepted connection
May 27 10:35:45 yxa-iv cyrus/imapd[26577]: Doing a peer verify
May 27 10:35:45 yxa-iv cyrus/imapd[26577]: Doing a peer verify
May 27 10:35:46 yxa-iv cyrus/imapd[26577]: mystore: starting txn 2147485235
May 27 10:35:46 yxa-iv cyrus/imapd[26577]: mystore: committing txn 2147485235
May 27 10:35:46 yxa-iv cyrus/imapd[26577]: received client certificate
May 27 10:35:46 yxa-iv cyrus/imapd[26577]: 
subject=/C=SE/ST=Stockholm/L=:Stockholm/O=YXA/OU=Simon Josefsson/CN=jas/[EMAIL 
PROTECTED]
May 27 10:35:46 yxa-iv cyrus/imapd[26577]: starttls: TLSv1 with cipher RC4-SHA 
(128/128 bits new) authenticated as jas

[EMAIL PROTECTED]:~$ /usr/bin/gnutls-cli -s -p 143 yxa.extundo.com --x509cafile 
cacert.pem --x509keyfile jas-key.pem --x509certfile jas-cert.pem
Processed 1 CA certificate(s).
Resolving 'yxa.extundo.com'...
Connecting to '217.13.230.178:143'...
 
- Simple Client Mode:
 
* OK yxa-iv Cyrus IMAP4 v2.1.16-IPv6-Debian-2.1.16-4 server ready
. capability
* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID 
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT 
THREAD=REFERENCES IDLE STARTTLS AUTH=DIGEST-MD5 AUTH=CRAM-MD5 LISTEXT LIST-SUBSCRIBED 
ANNOTATEMORE
. OK Completed
. starttls
. OK Begin TLS negotiation now
*** Starting TLS handshake
- Server's trusted authorities:
   [0]: C=SE,ST=Stockholm,L=Stockholm,O=YXA,OU=CA,CN=yxa.extundo.com,[EMAIL PROTECTED]
- Certificate type: X.509
 - Got a certificate list of 2 certificates.
 
 - Certificate[0] info:
 # The hostname in the certificate matches 'yxa.extundo.com'.
 # valid since: Sun May 23 22:40:00 CEST 2004
 # expires at: Sun Jul 23 22:40:00 CEST 2023
 # serial number: 03
 # fingerprint: cc 42 11 fd 80 da 1f 56 db dc 90 1b 42 c2 aa 8c
 # version: #1
 # public key algorithm: RSA
 #   Modulus: 1024 bits
 # Subject's DN: C=SE,ST=Stockholm,L=Stockholm,O=YXA,OU=Mail 
server,CN=yxa.extundo.com,[EMAIL PROTECTED]
 # Issuer's DN: C=SE,ST=Stockholm,L=Stockholm,O=YXA,OU=CA,CN=yxa.extundo.com,[EMAIL 
PROTECTED]
 
 - Certificate[1] info:
 # valid since: Sun May 23 11:35:00 CEST 2004
 # expires at: Sun Jul 23 11:35:00 CEST 2023
 # serial number: 00
 # fingerprint: fc 76 d8 63 1a c9 0b 3b fa 40 fe ed 47 7a 58 ae
 # version: #3
 # public key algorithm: RSA
 #   Modulus: 1024 bits
 # Subject's DN: C=SE,ST=Stockholm,L=Stockholm,O=YXA,OU=CA,CN=yxa.extundo.com,[EMAIL 
PROTECTED]
 # Issuer's DN: C=SE,ST=Stockholm,L=Stockholm,O=YXA,OU=CA,CN=yxa.extundo.com,[EMAIL 
PROTECTED]
 
 
- Peer's certificate is trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: ARCFOUR 128
- MAC: SHA
- Compression: NULL
. capability
* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID 
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT 
THREAD=REFERENCES IDLE AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 LISTEXT 
LIST-SUBSCRIBED ANNOTATEMORE
. OK Completed
. authenticate EXTERNAL
. NO no mechanism available
. logout
* BYE LOGOUT received
. OK Completed
*** Fatal error: A TLS packet with unexpected length was received.
*** Server has terminated the connection abnormally.

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Reply via email to