On Wed, Feb 14, 2001 at 09:24:46PM +0000, Tim Small wrote:
> I'm wondering if anyone can shed any light on a problem I'm having with
> Outlook Express? Apologies for posting a load of debug output to the
> list, but I didn't really know what was safe to omit.
>
> I'm trying to setup secure IMAP, using stunnel (stage 2 is to go for
> secure SMTP as well, with postfix/TLS).
I am using a setup like this. You don't say which type of IMAP server
you are using. As far as I have seen, several of them by now support
SSL out of the box (cyrus, UofW and others). I personally use UofW
and can assure you that it works.
> I've created my own CA, signed a client certificate and a server
> certificate. I've imported the CA, and client certificate (via 'openssl
> pkcs12') into IE. If I use IE to go to https://mail.brain:993/, it will
> successfully connect (prompting me to select the client certificate),
> and I can sniff network traffic on the redirected connection (of course,
> imapd doesn't speak http very clearly, but there is definitely some
> plain-text confusion going on ;-).
Use "openssl s_client -connect hostname:553" to check your connections.
You should see something like:
[lots of SSL info deleted]
..
* OK [CAPABILITY IMAP4 IMAP4REV1 STARTTLS LOGIN-REFERRALS AUTH=PLAIN AUTH=LOGIN]
localhost IMAP4rev1 2000.287 at Wed, 14 Feb 2001 22:46:26 +0100 (MET)
> I'm running stunnel like this:
>
> stunnel -v 2 -D 7 -f -A /home/tim/CAs_file_for_stunnel.pem -p
> /home/tim/server_cert3_pub_priv.pem -d simap -r imap2 simap
>
> i.e. redirect to local imap port, listen on simap port (993), and insist
> on client certificate authentication.
I don't think UofW imapd supports client certificates, but see below...
> In Outlook 2000, and Outlook Express 5 (under Win98, with all Windows
> Updates, and Office 2000 updates applied), it will refuse to connect.
> The Outlook Express "diagnostics" say:
>
> "Configuration:
> Account: mail.brain
> Server: mail.brain
> User name: tim
> Protocol: IMAP
> Port: 993
> Secure(SSL): 1
> Code: 800ccc1a
> "
>
> And Stunnel says:
...
> LOG3[1807:93186]: SSL_accept: error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
To my knowlegde, Outlook does not support client certificates for SSL
connections. Certificates available are only used to sign/encrypt emails.
You will make the same experience when it comes to the SMTP part.
> If I run Netscape Communicator 4.75 on the same Windows box, everything
> is fine:
Yes, Netscape supports this use of client certificates.
I (as the author of Postfix/TLS) have been examining this into detail and
to my best knowledge Outlook does not support usage of client certificates
for IMAP, POP3, or SMTP.
No better news today,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
