GNOME Bugzilla – Bug 273869
Connector doesn't work with certificate-based-only access to OWA
Last modified: 2013-07-23 14:29:58 UTC
I'd like to be able to connect to Exchange https using certificate. Our admins recently disabled a possibility to connect without one and I'm therefore unable to use Evolution anymore. Right now I can see that Evolution/Connector tries to fetch mails, but isn't allowed access. I'm able to connect to OWA with Mozilla when I have a proper certificate installed.
Too late for 2.6
Most of the work for this should probably be done in libsoup, and then connector can just provide the UI and call the right libsoup methods.
*** Bug 431376 has been marked as a duplicate of this bug. ***
*** Bug 431379 has been marked as a duplicate of this bug. ***
Created attachment 86640 [details] [review] e-d-s cert auth
Created attachment 86641 [details] [review] connector cert auth
copying comments from other bugs here (i thought this bug existed, but searching for it didn't find it): > we've added support to soup to authenticate using ssl certs in bug 334021. > > these patches attempt to add this to evolution-data-server and the conncetor. > they use an additional bonobody interface and objects supplied by a small library i made > called gnome-certauth: > > http://off.net/~jacob/gnome-certauth-0.1.tar.gz > > these patches are a little tricky because we are doing the cert stuff via nss. nss > doesn't currently support concurrent access via multiple applications, and it > also may need to prompt the user for a pin, or to accept a certificate. for > these reasons, i have punted the nss bits to the client side and marshal them > over either bonobo or the mail stub interface. > > it seems to work ok, but i am up for some discussion if maybe this isn't the > best approach. > > I know these patches have some rough edges; they don't use HAVE_GNOME_CERTAUTH > everywhere, they don't check in configure for the new soup, and they have some > leftover printfs and such, but I was interested in getting some early feedback > on the implementation.
E-D-S patch seems to be from a downstream code (OpenSuSE 10.2). Please attach patches against SVN Head. Also, disable the f_printf / g_warning and other console messages.
Created attachment 89124 [details] [review] new patch against trunk
Created attachment 89125 [details] [review] update to trunk and fix a deadlock the refresh_folder() bit is now run in its own thread to free up the main thread for processing replies to the certificate request; please take a look at this and see if it's ok.
Created attachment 89126 [details] [review] forgot to include two new files
There is one other thing this patch does not do: it should probably ask the user which cert to use, possibly only in the cases where it has more or fewer than one cert signed by an acceptable CA, or if the auth failed the first time. i'm sure evo has a cert picker widget somewhere; can someone give me a nudge in the right direction? Thanks.
(In reply to comment #12) > There is one other thing this patch does not do: it should probably ask the > user which cert to use, possibly only in the cases where it has more or fewer > than one cert signed by an acceptable CA, or if the auth failed the first time. > > i'm sure evo has a cert picker widget somewhere; can someone give me a nudge in > the right direction? > > Thanks. > Edit->Preferences-><Account-to-edit>->Edit->Security Tab
no, more like a dialog that pops up asking the user to pick a cert. and i'm more interested on where in the code it lives than how to reach it in the UI. Thanks!
Jacob: I am marking the two patches as reviewed and IMHO, the patches have to wait till a non-smartcard system with these patches work seamlessly as before.
Created attachment 93867 [details] [review] new e-d-s patch for 1.11.x this includes a few fixes, for using passwords and other things that have come up lately.
Created attachment 93868 [details] [review] new evo-exchange patch for 2.11.6.1 password, other fixes
Created attachment 93869 [details] [review] patch for evo 2.11.6.1 this fixes an infinite recursion, which is obvious when reading the code. i haven't noticed anything bad specifically from this patch, but i don't know why this code was here in the first pace either
The patches are obsolete. OpenSUSE rpms have a better fix. But few more pending work to be done. May be next release.
*** Bug 338461 has been marked as a duplicate of this bug. ***
The problem is you cannot ADD an account (In reply to comment #13) > (In reply to comment #12) > > There is one other thing this patch does not do: it should probably ask the > > user which cert to use, possibly only in the cases where it has more or fewer > > than one cert signed by an acceptable CA, or if the auth failed the first time. > > > > i'm sure evo has a cert picker widget somewhere; can someone give me a nudge in > > the right direction? > > > > Thanks. > > > Edit->Preferences-><Account-to-edit>->Edit->Security Tab > The whole problem is you cannot ADD such an account because the wizard requires you to click "Authenticate," which of course won't work because you have to specify the certs you want to use for authentication.
Any activity on this? I'm investigating client cert support right now, and would like to know if there's any faintly usable starting point.
I am wondering if fedora 11's "openchange" is another way to achieve this.
Note that the package "evolution-exchange" is deprecated nowadays. Similar functionality is now provided by "evolution-mapi" and "evolution-ews" packages. This bug was reported against a version that is now not supported anymore. Could you please check if the problem that you reported here still happens with a recent version of Evolution (like 3.2 or 3.0) by reporting back? Thanks in advance!
The feature still does not exist (at the libsoup level) in 3.2 (which is bug 334021 which this depends on).
Ah. Thanks!
evolution-exchange only supports the older Microsoft Exchange server versions 2000 and 2003. The last stable release of evolution-exchange was 3.4.4 which took place a year ago. evolution-exchange is now deprecated and not under active development anymore. It is unlikely that there will be any further active development. Closing this report as WONTFIX as part of Bugzilla Housekeeping. Please feel free to reopen this bug report in the future if anyone takes the responsibility for active development again. Also feel free to reopen this ticket and change the "Product" field accordingly if the reported issue still happens with a recent version (newer than version 3.6) of one of those Exchange backends that are still supported. Please see https://help.gnome.org/users/evolution/3.8/exchange-connectors-overview.html for more information on available backends.