GNOME Bugzilla – Bug 270893
PATCH: Support client certificates for IMAP
Last modified: 2013-09-14 16:52:54 UTC
It would be fantastic if Evolution would support sending client certificates when establishing IMAP+TLS sessions. Currently, it seems to treat the server's demand for a client certificate as a negotiation failure and reports the error: ---- Error while Scanning folders in "IMAP server ${SERVERNAME}". Failed to connect to IMAP server ${SERVERNAME} in secure mode: SSL negotiations failed. ---- I _have_ installed my client certificate, and evolution appears to accept it for signing and encrypting mail. Both my cert and the server cert are signed by the same CA (a self-signed CA operated for work). The same certificates work correctly in Mozilla Thunderbird, setting up a two-way authenticated SSL session for IMAP. I _HAVE_ tried editing the imported CA certificate to mark it trusted for all listed uses; this did not help. I can only conclude, with the lack of any other information, that evo does not handle client certificates. As Evo 2.x has the X.509 certificate handling infrastructure to support client certificates now, it would seem ideal to add that support. Client certificates provide a very nice and quite simple way for companies to provide secure remote access to their mail servers for employees, including IMAP, POP, and SMTP.
related: bug #273869, bug #334021, bug #585214, bug #534219
related: bug 507801, bug 334021.
If Camel is built against NSS instead of gnutls, it's a one-line change to get client certificate auth working. The S/MIME certificate store is used for client certificates, which is an appropriate default (though using gnome-keyring for BOTH would be better in the long run). Patch to e-d-s trunk attached, along with a tcpdump showing Evolution talking to my TLS-enabled IMAP and SMTP servers, neither of which will talk to a client without a client cert, and were rejecting communication with Evolution prior to this change with an error reporting that SSL negotiations failed.
Created attachment 136189 [details] [review] Patch to enable TLS/SSL client certificate support in e-d-s (IMAP/SMTP/POP3 etc)
Created attachment 136190 [details] Evo talking TLS after successful client cert negotiaton
Note that the e-d-s patch will only work if e-d-s is built with NSS. If e-d-s is built to use GnuTLS, client certs still won't work. Unlike NSS, GnuTLS doesn't provide certificate management infrastructure, and it doesn't have any way to locate a client certificate. It cannot read the NSS certificate store. Supporting client certificates with GnuTLS would probably involve work to enable the use of gnome-keyring's PKCS#11 infrastructure.
See bug 585300 for instructions on getting Evolution to read certificates from gnome-keyring's certificate store. It's trivial, and doesn't even require code changes to evolution.
For GnuTLS, it looks like the best option would be to wait for GnuTLS to add support for using PKCS#11 provider modules. This would make it as simple and automatic as for NSS, and would allow trivial use of providers like gnome-keyring's PKCS#11 provider, smart card PKCS#11 providers, etc. Mainline GnuTLS does not presently contain PKCS#11 module support. There is work in progress on this, though: http://alon.barlev.googlepages.com/gnutls-pkcs11 In the mean time, if E-D-S is built to use NSS it'll happily use PKCS#11 providers.
Another reference re GnuTLS and PKCS#11: http://lists.gnupg.org/pipermail/gnutls-dev/2007-April/001496.html
If you want to patch debs yourself: mkdir $HOME/tmp cd $HOME/tmp sudo apt-get build-dep evolution-data-server sudo apt-get install fakeroot devscripts apt-get source evolution-data-server cd evolution-data-server-* wget -O - http://bugzilla.gnome.org/attachment.cgi?id=136189 | patch -p0 debuild -tc -j2 ... then install the deb packages generated in $HOME/tmp If you want to prevent these from being automatically overwritten next time you upgrade or install updates, the following code snippet when run in $HOME/tmp will add all debs there to apt's pin list. Remember to remove them from /etc/apt/preferences when the time comes to upgrade, though. for f in *.deb; do dpkg-deb -e $f sed -e '/^Package: / p' \ -e '/^Version: / s/Version: \(.*\)$/Pin: version \1 origin=""/ p' \ -e '/^Pin: / aPin-Priority: 1001' \ -e 'D' \ DEBIAN/control echo done | sudo tee -a /etc/apt/preferences
Matt, Milan, is anyone up for review ? tia :-)
I cannot test the patch fully, but I believe Craig it works. It works fine for my SSL IMAP accounts, thus no bad impact on the actual behaviour. It's good for master and gnome-2-28, from my point of view. Have Matt the last word.
Created attachment 141322 [details] [review] Updated patch against 2.27.90 Attached: utterly trivially updated patch against 2.27.90 . No functional lines of code changed. Re-tested successfully against 2.27.90 (as expected given lack of changes in this area). No need to believe me re it working though - the attached libpcap packet trace shows successful negotiation occurring.
Any chance of seeing this applied?
Ouch, the code is under freeze now, the nearest possible release is 2.28.1
Craig, could you please commit the patch now in stable as well as in master, tia.
Akhil: I don't have any sort of commit rights to evo, so I don't have that option.
Committed in stable (gnome 2.28.1+) http://git.gnome.org/cgit/evolution-data-server/commit/?h=gnome-2-28&id=87238717ceb0a158a00c76fc07c6e27c769c2cf0 Committed in master (gnome 2.29.1+) http://git.gnome.org/cgit/evolution-data-server/commit/?id=429a106d101bf205ba0c8ee8f94a818327c2d736