GNOME.org
 

Re: [Evolution] smtp/ssl

Well, I don't see any API for sending a certificate to the server. Nor
do I even see a way for me to figure out which cert *to* send to the
server.

So... this leads me to believe that if the Mozilla nss libs are meant to
do this of their own accord. This means that you probably need to import
your client cert into the dbs and then things will "Just Work (tm)".

Jeff

On Mon, 2003-01-27 at 11:33, Kristoff Bonne wrote:

Gegroet,


Jeffrey Stedfast heeft geschreven:>>

Evolution has the possibity to use TSL (SSL) for both IMAP and SMTP; but
I have problems with sendmail mail over a TSL link.
When I set up 'TSL/SSL' in the SMTP-configuration module, the TSL seams
to fail. (I actually get this:



Received: from freya.belbone.net ([192.168.252.55]) by
      ossmail1.sunmail.belbone.net. (8.12.7/8.12.2) with ESMTP id
h0MDXft5008821
      (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for
      <kristoff belbone net>; Wed, 22 Jan 2003 14:33:41 +0100 (CET)

(Note the 'verify=NO').



It looks like there seams to a a TSL-problem between evolution (on the
mail-client, a mandrake 8.0 linux-box) and sendmail (on the mail-server,
a solaris 9).



I have no idea what that means, but it's nothing you should worry 
about presumably.



OK. I finally got some extra time to look at this. I've increase the 
log-level on sendmail and this is what I get in my logfile:


A session from evolution:
Jan 27 16:42:56 ossmail1 NOQUEUE: connect from [192.168.252.55]
(...)
Jan 27 16:42:56 ossmail1 h0RFgu9e027122: <-- STARTTLS
Jan 27 16:42:56 ossmail1 h0RFgu9e027122: --- 220 2.0.0 Ready to start TLS
Jan 27 16:42:57 ossmail1 STARTTLS=server, get_verify: 0 get_peer: 0x0
Jan 27 16:42:57 ossmail1 STARTTLS=server, relay=[192.168.252.55], 
version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128
Jan 27 16:42:57 ossmail1 STARTTLS=server, cert-subject=, cert-issuer=



This is a session from a box running the mozilla mail-client:
Jan 27 16:39:25 ossmail1 NOQUEUE: connect from [192.168.49.2]
(...)
Jan 27 16:42:56 ossmail1 h0RFgu9e027122: <-- STARTTLS
Jan 27 16:42:56 ossmail1 h0RFgu9e027122: --- 220 2.0.0 Ready to start TLS
Jan 27 16:42:57 ossmail1 STARTTLS=server, get_verify: 0 get_peer: 0x0

Jan 27 16:39:25 ossmail1 STARTTLS=server, relay=[192.168.49.2], 
version=TLSv1/SSLv3, verify=OK, cipher=RC4-MD5, bits=128/128
Jan 27 16:39:25 ossmail1 STARTTLS=server, 
cert-subject=/C=BE/ST=Some-State/L=Bredene/O=belgacom/OU=ANS-ROC+20Expert-Center+20Data/CN=Kristoff+20Bonne+20+28person+29/Email=kristoff
 bel, 
cert-issuer=/C=BE/ST=Brussels+20Capital+20Region/L=Brussels/O=Belgacom/OU=ANS-ROC+20Expert+20Center+20Data/CN=kristoff+20Bonne/Email=kristof


Mind the 'get_peer:' line.

I've checked online archives from comp.mail.sendmail, and -according the 
messages in there- this means that the mail-client does not present a 
certificate to the TLS server.
(There has been a simular problem with certain versions of outlook which 
didn't present a certificate neither).


So, the problem is completely on the side of application that initiates 
the TLS-session. (Hence, -in this case- the evolution mail-client).





Well, for me, it's important there is an option in sendmail which allows 
relaying of messages to be linked to whether the connection was TSL 
validated or not.

agh! stop calling it TSL, it's TLS - Transport Security Layer. :-)

OK; I get it. (I'm going to write 1000 times "TLS" on the white-board in 
the corner, OK?)




this could be usefull 
for mail, like for SMTP-servers. Sendmail actually get two certificates: 
one for 'client' sessions and one for 'server' sessions. (These can be 
identical but this doesn't have to be the case).

mail protocols do not use client-ssl-certs, just like they are not used
for HTTP.


Well, they are used in other mail-clients; and mail-servers (like 
sendmail) can be set up to relay messages only when you use a 
certificate that has been issued by certain users.



Jeff

Cheerio! Kr. Bonne.
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]