On Wed, 25 Aug 2004, Julien Pierre wrote: > > This works for Mozilla _browser_ and not for mozilla mailer. :( > > If I try to connect to smtps service the mailer does not ask me for any > > certificate (although "ask every time" is set). > > If the remote peer is configured to not authenticate the client everything > > works perfectly, but if the remot end requires certificate I got an Error > > Code -12227. > > On the server side I got: > > Aug 25 16:40:51 XXX stunnel[7890]: SSL_accept: 140890C7: > > error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not > > return a certificate > > > > The mailer is configured to _send_ mails through smpts on port 465. > > > > Seems like the client certificate authentication feature is missing in > > mozilla mailer (1.7.2). > > > I tried it with SMTPS I don't have an SMTPS server with client auth, but > I do have an HTTPS server with client auth. All I did was configure it > as SMTPS server, with SSL . When trying to send a message through it, I > did get the cert selection pop-up (I have "ask every time"). Of course, > I couldn't send the message after that, because the server behind isn't > SMTP, but the initial part - the SSL handshake with client auth - worked > correctly. So, I believe the code for client auth is the same for all > SSL sockets in Mozilla .I am using Mozilla 1.7 . > > Please try https://yoursmtpserver:465 to find out if you get the client > cert pop-up. I suspect you won't, because you have another problem, such > as a misconfigured SMTPS server. >
I set up my own https server using mod_ssl. I set it up to: SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile /path/cacert.pm If I connect using stunnel s_client and providing the proper cert everything works, but if I type into Moxilla 1.7.2 https that server I got exactly the same error: "hostname has received an incorrect or unexpected message. Error Code: -12227" However now I realized that Mozilla requires my client Cert in PKCS#12 format (not pem). I was mislead by the "Purposes" field of "Web Sites" certificates tab, which says "Client,Server" and I installed only the server certificate. When I converted the cert to PKCS#12 and installed it in mozilla it worked! THANK YOU for your help! p.s. Mozilla should be able to properly report that there is no certificate... p.s. why is mozilla not capable of importing pem client certs? -- Mariusz Wołoszyn Internet Security Specialist, GTS - Internet Partners _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
