[9fans] now the real reason ... tls mail

[9fans] now the real reason ... tls mail

[ron minnich]

I'm following the instructions (I think) so that macos can read mail
over imap4d over tls.

I have used the openssl command to create cert.pem and imap.pem.

I have copied key.pem over and done the factotum dance:

I get something like this (not all of it)
key proto=sshrsa size=1024 ek=10001 n=etc.

Should that really be sshrsa?

error is this:
roo May 28 18:48:29 76.103.89.146!62583 tls reports recv ClientHello
	version: 0301
	random: 0000000000000000000000000000000084e03cff91e9bedc11b09821c53f7526
	sid: []
	ciphers: [2f 5 4 35 a ff83 9 ff82 3 8 6 ff80 32 33 34 38 39 3a 16 15
14 13 12 11 18 1b 1a 17 19 1 ]
	compressors: [00 ]

roo May 28 18:48:29 76.103.89.146!62583 tls reports ClientHello version 301

roo May 28 18:48:29 76.103.89.146!62583 tls reports   cipher 5,
compressor 0, csidlen 0

roo May 28 18:48:29 76.103.89.146!62583 tls reports tlsError:
factotum_rsa_open: no key matches proto=rsa service=tls role=client

roo May 28 18:48:29 76.103.89.146!62583 tls reports failed: no key
matches proto=rsa service=tls role=client

the proto in factotum is sshrsa, is there any way that can match rsa?

Even if I change that, the error changes not. Even if I add
service=tls role=client, the error changes not.

So, I am working with multiple levels of my own lack of understanding.
Any clues here?

I'm even more ocnfused since I can't figure out how macos mail is
going to deal with this, I never having seen any step where I give it
a key or certificate or some such. But, then, I have a way of screwing
this stuff up.

thanks

ron

Re: [9fans] now the real reason ... tls mail

[Richard Miller]

> I have used the openssl command to create cert.pem and imap.pem.

I think you're making things difficult for yourself by not doing
everything under Plan 9.  I just tried following the hints
in tlssrv(8), pop3(8) and rsa(8) -- here's the transcript:

On the server (vt310):

term% auth/rsagen -t 'service=tls' >key
term% auth/rsa2x509 'C=UK CN=*.hamnavoe.com' key | auth/pemencode CERTIFICATE >cert
term% cat key >/mnt/factotum/ctl
term% cp cert /sys/lib/tls/imap.pem
term% cat >/bin/service.auth/tcp993 <<EOF
#!/bin/rc
exec tlssrv -c/sys/lib/tls/imap.pem -limap4d -r`{cat $3/remote} \
  /bin/ip/imap4d -p -dhamnavoe.com -r`{cat $3/remote} \
  >[2]/sys/log/imap4d
EOF
term% chmod +x /bin/service.auth/tcp993
term% passwd
Plan 9 Password: ********
change Plan 9 Password? (y/n) n
change Inferno/POP password? (y/n) y
make it the same as your plan 9 password? (y/n) y
term% 

Note that if vt310 was not already running as an auth server, I would
also have had to start auth/keyfs and 'aux/listen -t /bin/service.auth tcp'
(before changing my POP password).

On the client:

term% upas/fs -f/imaps/vt310/miller
upas/fs: server certificate 2DE3574F53CB87FFDBF1068CFA27B8D48586B37B not recognized
term% cat <<EOF >>/sys/lib/tls/mail
x509 sha1=2DE3574F53CB87FFDBF1068CFA27B8D48586B37B vt310
EOF
term% upas/fs -f/imaps/vt310/miller
!Adding key: proto=pass server=vt310 service=imap user=miller
password: ********
!
term% mail 
10 messages
: term% 

So it seems to have found the mailbox.  Then I tried setting up
an IMAP account on my iMac mail.app to fetch from vt310, ticking
the 'Use SSL' box in the Accounts>Advanced dialogue.  That works too,
except for giving a warning message "... The root certificate for
this server could not be verified ... Would you like to continue
anyway?"  I don't know if there's a way to silence this message
other than getting your certificate signed by a reputable CA.

-- Richard

Re: [9fans] now the real reason ... tls mail

[Christian Kellermann]

[-- Attachment #1: Type: text/plain, Size: 766 bytes --]

* Richard Miller <9fans@hamnavoe.com> [070529 11:20]:
> So it seems to have found the mailbox.  Then I tried setting up
> an IMAP account on my iMac mail.app to fetch from vt310, ticking
> the 'Use SSL' box in the Accounts>Advanced dialogue.  That works too,
> except for giving a warning message "... The root certificate for
> this server could not be verified ... Would you like to continue
> anyway?"  I don't know if there's a way to silence this message
> other than getting your certificate signed by a reputable CA.

Apple's mail has a way to import certificates as trusted. The help
system will tell you what to do.

Cheers,

Christian

-- 
You may use my gpg key for replies:
pub  1024D/47F79788 2005/02/02 Christian Kellermann (C-Keen)

[-- Attachment #2: Type: application/pgp-signature, Size: 194 bytes --]

Re: [9fans] now the real reason ... tls mail

[Richard Miller]

> Apple's mail has a way to import certificates as trusted. The help
> system will tell you what to do.

You're right, thanks -- try keyword "certificate" in mail.app help.
The only tricky part (for me) is to make sure the incoming server
name in Mail>Account matches the CN= pattern you used to generate
the certificate.