manual certificate authentication for IMAPS

Micha

2/26/23, 8:52 PM

I'm running an IMAPS service and users are authenticated with an X.509 certificate. It works fine using Thunderbird. But how I can connect to the IMAPS service manually using openssl? I use the same certificate with openssl s_client than in Thunderbird, but I'm not authenticated.

$ openssl s_client -connect $myimapsserver:993 -key my.key -cert my.crt -quiet 
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = $myimapsserver
verify return:1
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION AUTH=EXTERNAL ENABLE UTF8=ACCEPT] Courier-IMAP ready. Copyright 1998-2019 Double Precision, Inc.  See COPYING for distribution information.

0 + 0

authentication

imap

openssl

ssl-certificate

x509

dave_thompson_085

2/27/23, 1:03 AM

Does your cert need any intermediate cert(s), commonly called 'chain' cert(s), to be validated? If it's from a public CA like Digicert it always does; if it's from a smaller-scope CA like your corporation's headquarters or a city government, it usually does but maybe not.

Micha

2/27/23, 8:42 AM

I don't need any intermediate cert and the X.509 is validated, but my courier-imap does not authenticate myself if I try to use openssl but the user is authenticated using Thunderbird with the same cert. I guess I have to set a command or an openssl s_client option to authenticate with the X.509 against the imapd

Score:0

Server

Micha

2/27/23, 9:24 AM

Authentication is possible with the following IMAP command

1 AUTHENTICATE EXTERNAL bWljaGE=

And then the IMAP servers responded with

1 OK LOGIN Ok.

The parameter is the base64 encoded username which has to be in the used client X.509 certificate, too.

0 + 0

Micha

2/27/23, 9:25 AM

it was found via https://bugzilla.mozilla.org/show_bug.cgi?id=286581

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: manual certificate authentication for IMAPS

TH: การตรวจสอบใบรับรองด้วยตนเองสำหรับ IMAPS

RO: autentificare manuală a certificatului pentru IMAPS

RU: ручная проверка подлинности сертификата для IMAPS

VI: xác thực chứng chỉ thủ công cho IMAPS

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.