[Dovecot] Thunderbird SSL/TLS client authentication fails
Hi,
This is my first post to the list, so greetings to you all!
I am seeking your help with SSL/TLS client authentication.
I currently have the following setup:
Server:
- Debian Squeeze (fully patched)
- OpenSSL 0.9.8o
- Dovecot v2.1.10 (Debian backport package from Wheezy)
- SSL listener on port 993 with the Dovecot selfsigned certificate that was created during installation
- Virtual users (user@domain.net) with password in passwd style file
Client:
- Windows XP SP3 (fully patched)
- Thunderbird 17.0
- IMAP account using "Normal password" authentication
- Roundcube webmail (to be added soon)
This works just fine :)
==> I now want to set Thunderbird to use "TLS certificate" authentication so that I can safely expose port 993 to the internet for mobile use.
The idea is that clients with a trusted client certificate do not need a password so that I can change my password for Roundcube without having to change passwords on other IMAP clients (Roundcube will connect to localhost without SSL).
To do so I did the following:
- use XCA (v0.9.3, Windows version) to setup a private root CA with a CRL
- export root CA certificate and CRL in PEM format and join them into a ca.pem file (order: certificate, CRL)
- configure Dovecot to use the ca.pem file and require a client certificate
- use XCA to generate a private key and certificate for commonName=user@mydomain.net
- import certificate and private key into Thunderbird
- change IMAP account setting in Thunderbird to use "TLS Certificate" authentication
- When prompted, select the imported certificate to be used for authentication.
Unfortunately the authentication fails :(
Using "verbose_ssl=yes" I can see in the Dovecot logfile that Thunderbird connects and that the SSL handshake completes successfully. "Valid certificate" is logged for both client certificate and root CA certificate. This looks "so far so good" to me :)
The Dovecot log has the following lines at the point of failure: imap-login: Warning: SSL alert: where=0x4004, ret=256: warning close notify [<IP>] imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [<IP>] imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=<IP>, lip=<IP>, TLS, session=<ID>
(IP address and TLS session ID removed)
The last log line ("user=<>") suggests that Dovecot does not try to use the commonName from the client certificate as the username even though (I think) I have configured Dovecot to do so.
The relevant lines in the Dovecot configuration are:
<config>
auth_mechanisms = plain auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes disable_plaintext_auth = yes protocols = imap ssl = yes ssl_ca =
service imap-login { chroot = login process_min_avail = 1 service_count = 1
inet_listener imap { port = 143 }
inet_listener imaps { port = 993 ssl = yes } }
</config>
Observation: with "auth_ssl_require_client_cert = yes" Dovecot requires Thunderbird to send the client certificate even when Thunderbird uses "Normal password" authentication (authentication only fails if I delete the certificate from Thunderbird). So the SSL part looks OK to me.
It seems that Dovecot is waiting for the client to logon over the established SSL/TLS connection instead of taking the username from the commonName in the certificate.
==> What could be going wrong here?
I can post full config and logfile lines if you wnt to. Except for some possible oversight on my behalf there is nothing secret in there (I just didn't want to add too many lines to this already long post).
Regards, -Roger
Roger Hunen wrote:
I am seeking your help with SSL/TLS client authentication. Unfortunately the authentication fails :(
http://wiki2.dovecot.org/SSL/DovecotConfiguration states:
"You may also want to disable the password checking completely. Doing this currently circumvents Dovecot's security model so it's not recommended to use it, but it is possible by making the passdb allow logins using any password (typically requiring "nopassword" extra field to be returned)."
See http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
Regards Daniel
On 2012/12/02 22:18, Daniel Parthey wrote:
Roger Hunen wrote:
I am seeking your help with SSL/TLS client authentication. Unfortunately the authentication fails :(
http://wiki2.dovecot.org/SSL/DovecotConfiguration states:
"You may also want to disable the password checking completely. Doing this currently circumvents Dovecot's security model so it's not recommended to use it, but it is possible by making the passdb allow logins using any password (typically requiring "nopassword" extra field to be returned)."
This sounded like a bad idea at first as it would allow webmail users to logon without entering a password. However, your suggestion made me think (and go!) in a direction that I would not have gone on my own.
Thank you for that!
First things first: the solution/workaround :)
Create two passwd style files
- mailusers.143 with password and without 'nopassword' extra field
- mailusers.993 without password but with 'nopassword' extra field
Configure a passdb (driver=passwd-file) that selects the password database file using the %a variable (local port): mailusers.%a
My Dovecot setup now
does not require a valid password for connections to the imaps port (993); the username is taken from the certificate that is issued by a trusted CA.
does require a password for connections to the imap port (143).
Currently the system supports very few users, so working with two passwd files is not a problem. For the future I plan to use a mysql database with two different queries on the same table based on the local port number.
For those who are interested: read on for some more findings...
As far as I can tell (from docs and source) Dovecot supports only username/password based authentication schemes. There is no such thing as certificate based authentication (unless I have overlooked something or it is undocumented).
Even if 'auth_ssl_username_from_cert=yes' Dovecot will only take the username from the certificate if the client sends username and password to logon.
When configured to use "TLS Certificate" authentication Thunderbird will not send a username/password to logon. Thunderbird considers the authentication done once the SSL handshake has completed. Given the above this is a recipe for failure.
With 'auth_ssl_username_from_cert=yes' Dovecot will ignore the given username and use the designated field in the certificate instead (usually commonName). Together with the 'nopasswd' extra field a certificate based authentication scheme can be implemented. The client must be configured to use username and password (which will be completely ignored by Dovecot as intended in such a setup).
Dovecot will log an error if a passwd file record has a non-empty password and the 'nopassword' extra field is present. Either can be present but not both.
Dovecot will log an error "input is missing end-of-settings line" if the configuration contains a setting with a name that is not valid in the given context. Something like "Invalid setting 'x' at line y" would be more helpful to pinpoint the problem.
Dovecot documentation is sparse in many respects which makes it difficult to use Dovecot to its full potential. I realize though that resources are at a premium and that writing documentation is not everybody's cup of tea. From a documentation point of view Exim4 is an excellent example.
Regards, -Roger
participants (2)
-
Daniel Parthey
-
Roger Hunen