Hi everyone. During the initial implementation of evolution-kolab [0] back in 2.30 days, we evaluated [1] the chances to secure the protocols used to talk to the Kolab server (IMAP, SMTP, HTTP, LDAP) via TLS and having the server request the client to authenticate itself via a client certificate which is retrieved from a trusted platform module (TPM) or a software emulation of a TPM. We got this working for the IMAP, SMTP and HTTP protocols [2], involving the Mozilla NSS library and a PKCS #11 software stack (opencryptroki [3] and trousers [4]). However, we ultimately failed back then to secure the LDAP connection that way. The OpenLDAP [5] protocol library as used in Evolution relies on GnuTLS [6] for transport layer security. In contrast to NSS, GnuTLS requires the library on top of it (OpenLDAP in our case) or the application using both (Evolution in our case) to deal with security details. In order to access a TPM, a user PIN needs to be provided via a callback function. This is all NSS requires, as it handles locating the certificate in an opened TPM all by itself, depending on the connection type and peer. OpenLDAP up to and including version 2.4.25 (and newer 2.4 series, I believe, since this is a stable series) does not support this, and we did not succeed to build OpenLDAP with NSS support proper. GnuTLS, as a replacement for NSS, adds another layer of complication to the matter. Aside from the TPM user PIN, it requires the higher level software to locate the correct client certificate for the connection to be established inside the TPM (or a software emulation thereof) via so-called "PKCS #11 URIs" in an explicit manner. There does not exist an RFC for these URIs, but a draft only, the latest of which [7] expired in September 2012. NSS hides these details, but the OpenLDAP people did not seem to be keen on supporting NSS for transport layer security when we inquired back in 2010 [8]. AFAICT, there has not been a change in that regard so far. My question now (for documenting the status quo) is whether anyone is currently working on getting certificate-based client authentication utilizing a TPM flying in Evolution for OpenLDAP+GnuTLS at present or whether there are any plans to support this use case in the near future. Kind regards, and looking forward to receiving your thoughts on the matter, Christian [0] https://live.gnome.org/Evolution/Kolab [1] https://mail.gnome.org/archives/evolution-hackers/2010-July/msg00076.html [2] http://sourceforge.net/projects/evolution-kolab/files/Usage_of_software_security_devices_for_client_authentication.pdf/download [3] http://sourceforge.net/projects/opencryptoki/ [4] http://trousers.sourceforge.net/ [5] http://www.openldap.org/ [6] http://www.gnu.org/software/gnutls/gnutls.html [7] https://tools.ietf.org/html/draft-pechanec-pkcs11uri-06 [8] http://www.openldap.org/lists/openldap-technical/201009/msg00350.html -- kernel concepts GmbH Tel: +49-271-771091-14 Sieghuetter Hauptweg 48 D-57072 Siegen http://www.kernelconcepts.de/
Attachment:
signature.asc
Description: This is a digitally signed message part.