Re: Sending mail with SSL/TLS

From: Glenn Trigg <glenn trigg intec-telecom-systems com au>
To: Gerardo Ballabio <g ballabio cineca it>
Cc: balsa-list gnome org
Subject: Re: Sending mail with SSL/TLS
Date: Tue, 9 Sep 2003 17:04:22 +1000

On Tue Sep  9 00:53:37 2003 Gerardo Ballabio wrote:

> Thank you for your kind help. Unfortunately, despite your very 
> detailed instructions, I haven't been able to solve my problem yet. 
> May I bother you again?

Of course. One thing I forgot mention last time is that I'm using Balsa 
version 1.4.4 and libesmtp version 0.8.12.

...
> I've tried both server and client, but neither worked.
> 
> For the server, I was told by someone that, rather than the server's 
> own certificate, I should use that of the Certification Authority who 
> has signed it. Does that make sense to you? (I tried several trusted 
> certificates that come with Debian, but had no success.)

Yes, that is correct. Sorry, I didn't check my setup carefully enough. 
I think the CA in this case will be the CA that signed the smtp 
server's certificate - in the setup here I just have a CA I created my 
self which signed the sendmail (smtp) certificate (and also IMAP 
certificate for using IMAPS), and it's that CA certificate I have in my 
.authenticate/ca.pem file.

> The server's certificate that I was able to obtain only has a BEGIN 
> CERTIFICATE ... END CERTIFICATE section. I understand that the RSA 
> PRIVATE KEY section is only needed for a client certificate, since I 
> don't think that a server may distribute its private key.

That sounds correct.

> For the client, I tried with a certificate that I generated myself, 
> and wasn't signed by any authority. Is that the problem? Must I get a 
> CA-signed certificate? (I can't believe it, how could Mozilla work 
> then?)

Did you look in the Certificate Management part of Mozilla to see what 
certificates were there? And possibly try exporting certificates from 
there to use with balsa? I'm not really sure what needs to be done in 
this situation as I had the liberty to set up all the certificate stuff 
myself here.

> And, you aren't saying that you are using BOTH a client AND a server 
> certificate at the same time, are you? (Tried that too, didn't work.)

It seems that Brian Stafford would be better able to answer some of 
this as it's the libesmtp library that does the TLS stuff. But... I am 
using a client certificate which implies I need the CA certificate, 
hmmm, maybe the CA needs to be the CA that signed the client 
certificate!

> I'm willing to look into the internals of Balsa, if this helps. (I do 
> have some programming ability.) To start, I guess I should find out 
> at what point exactly the authentication procedure is failing. (The 
> reject message from the server isn't very informative.) Are there any 
> debugging flags that I could turn on in order to trace it?

Like I said, it's actually in libesmtp you'll need to look if it comes 
to that. Hopefully someone else will have something to contribute 
first. I'm afraid it's a fairly specific setup I implemented here which 
isn't matching what you need to do.

> <FeatureRequest>
> Why should I bother at all with downloading certificates and putting 
> them in specific places? Every other mail client seems to handle that 
> automatically. Balsa too!
> </FeatureRequest>

Ditto. Except that you do need to install your client certificate 
manually _if_ you're using one.

Glenn

References:
- Sending mail with SSL/TLS
  - From: Gerardo Ballabio
- Re: Sending mail with SSL/TLS
  - From: Glenn Trigg
- Re: Sending mail with SSL/TLS
  - From: Gerardo Ballabio

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]