Re: how to configure: turn off SSL_VERIFY_PEER flag for imap/tls

Tue, 04 Aug 2009 00:32:58 -0700 

On Tue, 4 Aug 2009, Zhang Weiwu wrote:

> Hello.
>
> I am trying to help my users workaround an issue which was described here:
> https://bugzilla.mozilla.org/show_bug.cgi?id=437683
>
> In short, cyrus imapd asked for tls client certificate, while user agent 
> thunderbird prompts user to select one. Since our deployment does not 
> require client certificate, and users have their email PGP certificate 
> installed, whatever PGP certificate user selects must be wrong, thus 
> user couldn't establish connection to imap server.

I've used patch like this to patch Cyrus IMAPD:
Add to your imapd.conf:
# Wheter to request client certificate with STARTTLS session.
#
##tls_request_cert: 1
# Wheter to request client certificate with STARTTLS session.
#
imap_tls_request_cert: 0
pop3_tls_request_cert: 0

Patch:
--- imap/tls.c.orig     Fri Oct 28 17:51:18 2005
+++ imap/tls.c  Thu Mar  2 12:45:28 2006
@@ -580,6 +580,7 @@
      const char   *s_cert_file;
      const char   *s_key_file;
      int    requirecert;
+    int    requestcert;
      int    timeout;

      if (tls_serverengine)
@@ -684,8 +688,11 @@
      SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb);

      verify_depth = verifydepth;
-    if (askcert!=0)
-       verify_flags |= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+    if (askcert!=0) {
+       requestcert = config_getswitch(IMAPOPT_TLS_REQUEST_CERT);
+       if (requestcert)
+           verify_flags |= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+    }

      requirecert = config_getswitch(IMAPOPT_TLS_REQUIRE_CERT);
      if (requirecert)

--- lib/imapoptions     Wed Feb  1 21:44:06 2006
+++ lib/imapoptions     Thu Mar  2 12:45:28 2006
@@ -956,6 +956,9 @@
  /* File containing the private key belonging to the server
     certificate.  A value of "disabled" will disable SSL/TLS. */

+{ "tls_request_cert", 1, SWITCH }
+/* Request a client certificate for ALL services (imap, pop3, lmtp, sieve). */
+
  { "tls_require_cert", 0, SWITCH }
  /* Require a client certificate for ALL services (imap, pop3, lmtp, sieve). */

-- 
   Leena Heino              University of Tampere / Computer Centre
   ( liinu at uta.fi )      ( http://www.uta.fi/laitokset/tkk )
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Reply via email to