After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 270893 - PATCH: Support client certificates for IMAP
PATCH: Support client certificates for IMAP
Status: RESOLVED FIXED
Product: evolution-data-server
Classification: Platform
Component: Mailer
2.28.x (obsolete)
Other All
: Normal enhancement
: Future
Assigned To: evolution-mail-maintainers
Evolution QA team
Depends on:
Blocks:
 
 
Reported: 2004-12-30 18:28 UTC by Craig Ringer
Modified: 2013-09-14 16:52 UTC
See Also:
GNOME target: ---
GNOME version: 2.25/2.26


Attachments
Patch to enable TLS/SSL client certificate support in e-d-s (IMAP/SMTP/POP3 etc) (1012 bytes, patch)
2009-06-09 08:20 UTC, Craig Ringer
none Details | Review
Evo talking TLS after successful client cert negotiaton (114.25 KB, application/octet-stream)
2009-06-09 08:21 UTC, Craig Ringer
  Details
Updated patch against 2.27.90 (1.03 KB, patch)
2009-08-21 12:05 UTC, Craig Ringer
committed Details | Review

Description Craig Ringer 2004-12-30 18:28:18 UTC
It would be fantastic if Evolution would support
sending client certificates when establishing
IMAP+TLS sessions.

Currently, it seems to treat the server's demand
for a client certificate as a negotiation failure
and reports the error:

----
Error while Scanning folders in "IMAP server
${SERVERNAME}".

Failed to connect to IMAP server ${SERVERNAME} in
secure mode: SSL negotiations failed.
----

I _have_ installed my client certificate, and
evolution appears to accept it for signing and
encrypting mail.

Both my cert and the server cert are signed by the
same CA (a self-signed CA operated for work). The
same certificates work correctly in Mozilla
Thunderbird, setting up a two-way authenticated
SSL session for IMAP. I _HAVE_ tried editing the
imported CA certificate to mark it trusted for all
listed uses; this did not help.

I can only conclude, with the lack of any other
information, that evo does not handle client
certificates. 

As Evo 2.x has the X.509 certificate handling
infrastructure to support client certificates now,
it would seem ideal to add that support. Client
certificates provide a very nice and quite simple
way for companies to provide secure remote access
to their mail servers for employees, including
IMAP, POP, and SMTP.
Comment 1 Craig Ringer 2009-06-09 05:13:03 UTC
related: bug #273869, bug #334021, bug #585214, bug #534219
Comment 2 Craig Ringer 2009-06-09 05:16:46 UTC
related: bug 507801, bug 334021.
Comment 3 Craig Ringer 2009-06-09 08:18:56 UTC
If Camel is built against NSS instead of gnutls, it's a one-line change to get client certificate auth working. The S/MIME certificate store is used for client certificates, which is an appropriate default (though using gnome-keyring for BOTH would be better in the long run).

Patch to e-d-s trunk attached, along with a tcpdump showing Evolution talking to my TLS-enabled IMAP and SMTP servers, neither of which will talk to a client without a client cert, and were rejecting communication with Evolution prior to this change with an error reporting that SSL negotiations failed.
Comment 4 Craig Ringer 2009-06-09 08:20:12 UTC
Created attachment 136189 [details] [review]
Patch to enable TLS/SSL client certificate support in e-d-s (IMAP/SMTP/POP3 etc)
Comment 5 Craig Ringer 2009-06-09 08:21:20 UTC
Created attachment 136190 [details]
Evo talking TLS after successful client cert negotiaton
Comment 6 Craig Ringer 2009-06-09 08:27:19 UTC
Note that the e-d-s patch will only work if e-d-s is built with NSS. If e-d-s is built to use GnuTLS, client certs still won't work.

Unlike NSS, GnuTLS doesn't provide certificate management infrastructure, and it doesn't have any way to locate a client certificate. It cannot read the NSS certificate store. Supporting client certificates with GnuTLS would probably involve work to enable the use of gnome-keyring's PKCS#11 infrastructure.
Comment 7 Craig Ringer 2009-06-10 02:40:14 UTC
See bug 585300 for instructions on getting Evolution to read certificates from gnome-keyring's certificate store. It's trivial, and doesn't even require code changes to evolution.
Comment 8 Craig Ringer 2009-06-10 03:22:51 UTC
For GnuTLS, it looks like the best option would be to wait for GnuTLS to add support for using PKCS#11 provider modules. This would make it as simple and automatic as for NSS, and would allow trivial use of providers like gnome-keyring's PKCS#11 provider, smart card PKCS#11 providers, etc.

Mainline GnuTLS does not presently contain PKCS#11 module support. There is work in progress on this, though:

http://alon.barlev.googlepages.com/gnutls-pkcs11

In the mean time, if E-D-S is built to use NSS it'll happily use PKCS#11 providers.
Comment 9 Craig Ringer 2009-06-10 03:40:25 UTC
Another reference re GnuTLS and PKCS#11: http://lists.gnupg.org/pipermail/gnutls-dev/2007-April/001496.html
Comment 10 Craig Ringer 2009-06-25 12:10:19 UTC
If you want to patch debs yourself:

mkdir $HOME/tmp
cd $HOME/tmp
sudo apt-get build-dep evolution-data-server
sudo apt-get install fakeroot devscripts
apt-get source evolution-data-server
cd evolution-data-server-*
wget -O - http://bugzilla.gnome.org/attachment.cgi?id=136189 | patch -p0
debuild -tc -j2

... then install the deb packages generated in $HOME/tmp

If you want to prevent these from being automatically overwritten next time you upgrade or install updates, the following code snippet when run in $HOME/tmp will add all debs there to apt's pin list. Remember to remove them from /etc/apt/preferences when the time comes to upgrade, though.

for f in *.deb; do
  dpkg-deb -e $f
  sed -e '/^Package: / p' \
      -e '/^Version: / s/Version: \(.*\)$/Pin: version \1 origin=""/ p' \
      -e '/^Pin: / aPin-Priority: 1001' \
      -e 'D' \
      DEBIAN/control
  echo
done | sudo tee -a /etc/apt/preferences
Comment 11 Akhil Laddha 2009-08-21 04:30:48 UTC
Matt, Milan, is anyone up for review ? tia :-)
Comment 12 Milan Crha 2009-08-21 07:14:21 UTC
I cannot test the patch fully, but I believe Craig it works. It works fine for my SSL IMAP accounts, thus no bad impact on the actual behaviour. It's good for master and gnome-2-28, from my point of view. Have Matt the last word.
Comment 13 Craig Ringer 2009-08-21 12:05:19 UTC
Created attachment 141322 [details] [review]
Updated patch against 2.27.90

Attached: utterly trivially updated patch against 2.27.90 . No functional lines of code changed. Re-tested successfully against 2.27.90 (as expected given lack of changes in this area).

No need to believe me re it working though - the attached libpcap packet trace shows successful negotiation occurring.
Comment 14 Craig Ringer 2009-09-13 10:48:34 UTC
Any chance of seeing this applied?
Comment 15 Milan Crha 2009-09-16 11:03:46 UTC
Ouch, the code is under freeze now, the nearest possible release is 2.28.1
Comment 16 Akhil Laddha 2009-09-23 10:13:35 UTC
Craig, could you please commit the patch now in stable as well as in master, tia.
Comment 17 Craig Ringer 2009-09-24 05:03:41 UTC
Akhil: I don't have any sort of commit rights to evo, so I don't have that option.