Hello people,
I don't know if anyone can shed any light on this, but I seem to have been
going round in circles for days and I'm getting dizzy.
I'm __trying__ (gritted teeth !) to get Mozilla 1.5 to work with bincimap with
SSL/TLS client authorisation enabled.
Without SSL client authorisation ('verify peer' = off), I have no problems at
all. I can connect to the bincimap-ssl server, enter my password, and
everything works fine.
However, despite providing Mozilla with the appropriate client certificate, I
can't establish a connection if I set 'verify peer' on.
Here's what I did to generate the certificates :
Create a CA key & strip out the password
Self-sign the CA key to create the CA certificate
Create a bincimap server key & strip out the password
Sign the server key with the CA certificate to create the server certificate
Create a client key
Sign the client key with the CA certificate to create the client certificate
Install the concatenated server key/certificate as bincimap.pem
Install the CA certificate as bincimap.ca
Install the client certificate on mozilla. Tell mozilla to use SSL encryption
and authorisation.
Result ? I get this in the bincimap log :
error initializing Binc IMAP: SSL negotiation failed: Internal SSL error:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
I take it from this that either SSL is broken or Mozilla 1.5 doesn't do what
it's supposed to - ie - return a client certificate ?
I'm also a bit suspicious of bincimap itself because while I've been playing
about with this at one point I installed the bincimap certificates & CA
without first stripping out the password. When I did this, the client was
able to connect with no problems despite 'verify client' = on and the client
not having a certificate ! This looks like bincimap was unable to make sense
of its own certificate (because of the password on it) and so gave up and
allowed connection anyway. Is this known / desirable behavior ?
Does anyone have any idea how I can test this from telnet ? ie - the command
needed to present a certificate to the server ?
I've tried to use Opera but I get nowhere with that (it doesn't even have an
option for authorisation - maybe it just 'does it' anyway if I give it
certificate ?). And I can't get the latest Thunderbird client working on my
machine but that's another story. Can anyone suggest a client that is known
to work with bincimap and SSL client authorisation ? I'm only using Mozilla
because I thought it was fully up to spec; I'm a 'KMail' man normally (but
this doesn't have client authorisation - not the version I have anyway).
Oh well, thank you for listening.
regards,
R.
