You can try this: https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2642
On Вторник 04 августа 2009, Zhang Weiwu wrote: > Hello. > > I am trying to help my users workaround an issue which was described here: > https://bugzilla.mozilla.org/show_bug.cgi?id=437683 > > In short, cyrus imapd asked for tls client certificate, while user agent > thunderbird prompts user to select one. Since our deployment does not > require client certificate, and users have their email PGP certificate > installed, whatever PGP certificate user selects must be wrong, thus > user couldn't establish connection to imap server. > > Workarounds: > > 1. Disable TLS on server or client (bad, their email wouldn't be safe > then); > 2. Remove PGP certificate for our clients (bad, ditto); > 3. Ask users to switch from Thunderbird to Outlook Express (bad, I > feel sicker if they do); > 4. Wait for Thunderbird to add an option to allow user to configure > always not offer certificate to TLS server even if asked (bad, > could be years' waiting); > 5. Configure cyrus so that it does not turn on SSL_VERIFY_PEER flag > (of openssl), that imapd server do not ask user for client > certificate (the only solution that looks feasible); > > So 4 is the choice. Problem being I couldn't figure out how to configure > it that way. I configured "tls_require_cert: false" which sets > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, which controls if requires the client > to provide the certificate (instead of SSL_VERIFY_PEER which controls if > asks the client to provide the certificate). > > So how do you suggest me handle the situation? Thanks a lot in advance! > -- Vladimir Vassiliev <v...@edu.yar.ru> ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
