daz@feb17.org wrote:
On Tue, Sep 09, 2008 at 06:59:10AM -0400, Charles Marcus wrote:
On 9/9/2008, Alan Premselaar (alien@12inch.com) wrote:
Ahh, no, sorry I must have overlooked that part. I'm just using standard self-signed certificates on the server side. Then if this is a 3G iPhone, my last response is the solution.
Sorry for delay picking this up again - it's been so frustrating I needed to take a break - have sunk too many hours into it. To answer the various questions,
I was trying this with the original iphone (have subsequently tested with 3G, no difference).
I am using self signed certs. I am trying to use client certs, not just server certs. I have been emailing p12 attachments via gmail. My attempts to download mobileconfig from webserver weren't successful.
If I understand the various suggestions:
- don't use a self-signed cert (I have made the self-CA and the mail certs slightly different),
I think that is likely to be a red herring. The only thing you get in this circumstance from a commercial cert is (hopefully) rigorous technical correctness in the cert construction and signing. If you want to use client certs, you will have to manage your own PKI to some degree anyway, and that means getting all of the details right *with understanding*, not just finding a cargo-cult fix. I think you are doing the right thing in trying to get this working with your own certs, as that painful process assures that you will gain useful clues.
- make the public CA cert available via webserver ( I have installed root cert via email and that didn't help).
I will try installing root cert via browser and see if that helps. If that fails, I'll try a proper CA, not self signed. I'm sceptical that's the problem. If all that fails, I'll just throw security overboard and stick with simple password auth, life is too short. I'd still love an error message that meant something ;)
You may find it easiest to debug the certs using a web server and Safari on the iPhone rather than Dovecot and Mail, because you are likely to be able to instrument it better, get better error descriptions from the client, and be given more options on how to fix the problem.
Since you have CA, server, and client certs, it might help to not think of these as "self-signed" since at most only the CA really is that. The server cert and the client certs are signed by the CA cert, and the only difference between this setup and one using commercial certs is that you have to get your CA cert treated and trusted in the same way as a commercial root CA cert *by both ends*.
Client certs do not really add a great deal of security over just requiring auth to be done inside a TLS session. In some ways they are a security trade-off, rather than a clear improvement. If your PKI and device config processes are not very rigorous, you can end up in a risky circumstance by trusting client certs that you are dropping onto devices that can easily land in the wrong hands. I can say from first-hand experience that the iPhone version of Mail will work with Dovecot using a real self-signed cert and only allowing auth inside an encrypted session, so you do not need to completely throw security overboard.