X.509 IMAP access with ognus 0.07

X.509 IMAP access with ognus 0.07

[Peter Weiss, Sun Microsystems, Germany]

Hello everyone (espacially Simon ;-),

I'm stuck with my imap connection using openssl and X509 certification:

Starting openssl from the shell the IMAP server on the remote works:

:1> openssl s_client -quiet -connect localhost:9993 -ssl3 -cert   /home/pw105345/Mail/Peter_Weiss_usercert.pem -key    /home/pw105345/Mail/Peter_Weiss_userkey.pem -CAfile /home/pw105345/Mail/ROOTCA_DER.crt
Enter PEM pass phrase:
depth=0 /C=DE/O=CLASS AG/OU=Projects/CN=ln-com1.class.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=DE/O=CLASS AG/OU=Projects/CN=ln-com1.class.de
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=DE/O=CLASS AG/OU=Projects/CN=ln-com1.class.de
verify error:num=21:unable to verify the first certificate
verify return:1
* PREAUTH Domino IMAP4 Server Release 5.0.10  ready Fri, 16 Aug 2002 11:18:31 +0200


I've managed to do emacs the Passphrase interaction the following way by
modifying ssl.el a bit:

(defvar ssl-filter-pw "^Enter.*pass.*:"
  "Regexp for filter function to recognize password input requests")

(defun ssl-watch-for-password (proc inpstr)
  "Filter function to do password interaction if requested by started ssl
program."
  (message "FILTER function: input %s" inpstr)
  (cond ((string-match ssl-filter-pw inpstr)
         (message "Password request found")
         (send-string proc (concat (read-passwd inpstr) "\n")))))

(defun open-ssl-stream (name buffer host service)
  "Open a SSL connection for a service to a host.
Returns a subprocess-object to represent the connection.
Input and output work as for subprocesses; `delete-process' closes it.
Args are NAME BUFFER HOST SERVICE.
NAME is name for process.  It is modified if necessary to make it unique.
BUFFER is the buffer (or buffer-name) to associate with the process.
 Process output goes at end of that buffer, unless you specify
 an output stream or filter function to handle the output.
 BUFFER may be also nil, meaning that this process is not associated
 with any buffer
Third arg is name of the host to connect to, or its IP address.
Fourth arg SERVICE is name of the service desired, or an integer
specifying a port number to connect to."
  (if (integerp service) (setq service (int-to-string service)))
  (let* ((process-connection-type nil)
	 (port service)
	 (proc (eval
		(`
		 (start-process name buffer ssl-program-name
				(,@ ssl-program-arguments))))))
    (process-kill-without-query proc)
    (set-process-filter proc (function ssl-watch-for-password))
    proc))


Putting some message statements in the imap code I see in the messages buffer:

imap: Connecting to localhost...
imap: Opening SSL connection with `openssl s_client -quiet -connect %s:%p -ssl3 -cert   /home/pw105345/Mail/Peter_Weiss_usercert.pem -key    /home/pw105345/Mail/Peter_Weiss_userkey.pem -CAfile /home/pw105345/Mail/ROOTCA_DER.crt'...
IMAP: Parsing greeting
FILTER function: input Enter PEM pass phrase:
Password request found
Enter PEM pass phrase:
Enter PEM pass phrase:.
Enter PEM pass phrase:..
Enter PEM pass phrase:.............
FILTER function: input 

IMAP: Parsing greeting
FILTER function: input depth=0 /C=DE/O=CLASS AG/OU=Projects/CN=ln-com1.class.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=DE/O=CLASS AG/OU=Projects/CN=ln-com1.class.de
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=DE/O=CLASS AG/OU=Projects/CN=ln-com1.class.de
verify error:num=21:unable to verify the first certificate
verify return:1

FILTER function: input * PREAUTH Domino IMAP4 Server Release 5.0.10  ready Fri, 16 Aug 2002 11:23:59 +0200

IMAP: Parsing greeting [26 times]

=> The authentication seems to be succsessfull, the last message indicates
   that imap-parse-greeting () is called but find no suitable OK prompt from
   the IMAP server.

   BTW: Setting imap-log reports no interaction in the imap-log buffer, even
   though it is created.

Questions that arise:

o Is Domino IMAP4 not IMAP compatible?
o Are there some simple commands to check the functionality of the
  IMAP-Server to run from an openssl connection established from an
  interactive shell?

Thanks for hints --Peter

-- 
Consultant der CLASS AG   http://www.class.de
Professional Services
mobil +49 (0) 172/837 91 25
mailto:Peter.Weiss@class.de

Re: X.509 IMAP access with ognus 0.07

[Simon Josefsson]

> depth=0 /C=DE/O=CLASS AG/OU=Projects/CN=ln-com1.class.de
> verify error:num=20:unable to get local issuer certificate
> verify return:1

You might want to set up the OpenSSL CA's so that you verify whom you are
talking to.

>     (set-process-filter proc (function ssl-watch-for-password))

This won't work -- imap.el also has a process filter, and I don't think
you can have more than one process filter?

> => The authentication seems to be succsessfull, the last message
> indicates
>    that imap-parse-greeting () is called but find no suitable OK prompt
> from the IMAP server.
>
>    BTW: Setting imap-log reports no interaction in the imap-log buffer,
> even though it is created.

Right, imap.el won't work without the imap.el process filter.

I think you should be able to copy your code into imap-open-ssl, looking
for the password prompt and acting on it.  Without the process filter.

> o Is Domino IMAP4 not IMAP compatible?

No evidence of that so far.

> o Are there some simple commands to check the functionality of the
>   IMAP-Server to run from an openssl connection established from an
> interactive shell?

Look in RFC 2060. :-)