GNOME Bugzilla – Bug 753958
Client certificate not sent
Last modified: 2015-08-26 13:18:07 UTC
I have imported a client certificate into Evolution 3.12.9 from Debian/jessie to connect to an IMAPS server. The remote server is running Dovecot with: auth_ssl_require_client_cert = yes ssl_verify_client_cert = yes Looking at the logs, it appears Evolution did not send the certificate. Using the certificate in openssl s_client does successfully authenticate to the server. The CA certificate has also been imported into the certificate store. From the Dovecot logs: Aug 21 23:04:09 thanatopsis dovecot: imap-login: Disconnected (client didn't send a cert): user=<>, method=PLAIN, rip=xxxx1, lip=xxxx2, TLS, session=<iIjLJuAdrQBsJiYv> Evolution just goes into a loop prompting for the password until the modal window is dismissed. Looking at the wireshark logs, it looks like Evolution sends a certificate packet with a 0-length certificate. I looked for a setting to force Evolution to send a specific client certificate (there's only one in the NSS store at the moment), or to send a certificate signed by the same CA as the server, but couldn't find one. Let me know what other data or debug logs I can provide to help track this down.
Ah, that 0-length certificate is from the server -- it's sending an empty list of acceptable CAs. In TLS 1.2, that means the client is allowed to send any certificate (RFC 5246 §7.4.4)-- but Evolution doesn't prompt for one (the connection is using TLS 1.2). Is Evolution still using TLS 1.0 rules?
Thanks for a bug report. Evolution(-data-server) doesn't support client certificate authentication currently. I was told there can be run an ssh tunnel to which the IMAP can connect, which makes it the only possible way of connecting using client certificates at the moment. *** This bug has been marked as a duplicate of bug 711602 ***