Howto make Evolution 3.36.3 send a client cert for authentication?

Hello,

Does Evolution 3.36.3 support self-signed client certificate
authentication to an IMAP server? The IMAP server I'm connecting to
requires the client to send a certificate and for some reason Evolution
does not appear to send it.

This is Evolution 3.36.3 on Fedora 32. Steps I tried in Preferences:

1) Certificates -> Your Certificates -> import p12 with self-signed CA
and client cert
2) Certificates -> Authorities -> enable all trust options for the
self-signed CA
3) exit evolution and start it again
3) setup imap account with TLS on port 993
4) try to connect

Result: “Peer sent fatal TLS alert: Certificate is required”.

How do I make Evolution send a client cert to the IMAP server?

Thank you!

Best,
Patrick
_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list

On Fri, 2020-06-12 at 16:21 +0200, [hidden email]
wrote:
> 3) exit evolution and start it again

Is this a complete exit? It may not be enough to simply quit Evolution.
Do 'pkill evolution' from the command line.

poc

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list

Hi Patrick,

Thank you for your reply. Comments inline.

>> 3) exit evolution and start it again
>
> Is this a complete exit? It may not be enough to simply quit Evolution.
> Do 'pkill evolution' from the command line.

I did a pkill evolution and tried to pkill the other evolution-* apps
but they autorestarted.

The pkill did not make a difference. I then looked at what Wireshark
found. It seems (to my untrained eyes) that Evolution sends a
certificate with zero length. Screenshot attached.

Any other ideas?

Best,
Patrick

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list

On Fri, 2020-06-12 at 18:58 +0200, [hidden email]
wrote:
Weird. That has never failed for me but maybe something in your DE is
restarting them (I use KDE). Try 'pkill -9 ...' or log out and in
again.

> The pkill did not make a difference. I then looked at what Wireshark
> found. It seems (to my untrained eyes) that Evolution sends a
> certificate with zero length. Screenshot attached.
>
> Any other ideas?

I have no experience with certificates in Evo, so no.

poc

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list

On Fri, 2020-06-12 at 17:06 +0100, Patrick O'Callaghan wrote:
> On Fri, 2020-06-12 at 16:21 +0200,
> [hidden email]
> wrote:
> > 3) exit evolution and start it again
>
> Is this a complete exit? It may not be enough to simply quit
> Evolution.
> Do 'pkill evolution' from the command line.

        Hi,
just a note: it's not needed for the mail part, it runs within the
'evolution' process, in contrast to other parts (Contacts, Calendars,
Tasks, Memos), which talk to evolution-data-server (background D-Bus)
processes.
        Bye,
        Milan

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list

On Fri, 2020-06-12 at 18:08 +0100, Patrick O'Callaghan wrote:
> > I did a pkill evolution and tried to pkill the other evolution-*
> > apps but they autorestarted.
>
> Weird. That has never failed for me but maybe something in your DE is
> restarting them (I use KDE). Try 'pkill -9 ...' or log out and in
> again.

        Hi,
I'd say if they auto-restarted (their process ID changed), then the
pkill command worked. As being said, it depends on the desktop
environment. For example GNOME's gnome-shell-calendar-server keeps
(re-)starting evolution-calendar-factory whenever it's vanished. This
process requires evolution-source-registry, thus it runs it too. And if
the Birthdays & Anniversaries calendar is used by any client connecting
to the calendar factory also the evolution-addressbook-factory process
is started.

You can use `evolution --force-shutdown`, which kills the processes in
the correct order.
        Bye,
        Milan

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list

On Mon, 2020-06-15 at 10:28 +0200, Milan Crha via evolution-list wrote:
Although this may not be relevant to the OP's question, it is sometimes
necessary to restart e-d-s because of authentication issues. I
occasionally have to do this under KDE because (I presume) of a race
condition on logging in, when Evo is autostarted. It only happens
rarely now but at one time it was very irritating.

poc

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list

On Mon, 2020-06-15 at 09:58 +0100, Patrick O'Callaghan wrote:
> Although this may not be relevant to the OP's question, it is
> sometimes necessary to restart e-d-s because of authentication
> issues. I occasionally have to do this under KDE because (I presume)
> of a race condition on logging in, when Evo is autostarted. It only
> happens rarely now but at one time it was very irritating.

        Hi,
ah, I see, I recall some problem with evolution-source-registry losing
connection to libsecret (gnome-keyring-daemon) after login, I think it
was due to the gnome-keyring-daemon being restarted or something, which
libsecret doesn't like. Possibly related to:
https://gitlab.gnome.org/GNOME/libsecret/-/issues/39

        Bye,
        Milan

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list

On Fri, 2020-06-12 at 16:21 +0200, [hidden email]
wrote:
> Result: “Peer sent fatal TLS alert: Certificate is required”.
>
> How do I make Evolution send a client cert to the IMAP server?

        Hi,
unfortunately, Evolution (or libcamel) doesn't support login with
client side certificate. [1]

Maybe it could be worked around with some connection tunnel, but I do
not have any experience with it, thus I cannot help to setup or use it.
I'm sorry.
        Bye,
        Milan

[1] https://bugzilla.gnome.org/show_bug.cgi?id=711602

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list

On 15-06-2020 11:22, Milan Crha via evolution-list wrote:
> On Fri, 2020-06-12 at 16:21 +0200, [hidden email]
> wrote:
>> Result: “Peer sent fatal TLS alert: Certificate is required”.
>>
>> How do I make Evolution send a client cert to the IMAP server?
>
> Hi,
> unfortunately, Evolution (or libcamel) doesn't support login with
> client side certificate. [1]

Thanks Milan.

Best,
Patrick
_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list

On 2020-06-15 at 11:22 +0200, Milan Crha via evolution-list wrote:
>
> Maybe it could be worked around with some connection tunnel, but I do
> not have any experience with it, thus I cannot help to setup or use
> it.
> I'm sorry.
>         Bye,
>         Milan


You should be able to do that with a command like:
 socat -v STDIO OPENSSL:<yourserver>:<port>,capath=/etc/ssl/certs,cert=<clientcertificate.pem>,key=<clientcertificate.key>

the key= parameter is optional if already in the cert file

As the CA is self-signed, instead of capath=, you probably should use
cafile=<cafile> instead. Which is specially good if your socat version
is below 1.7.3.0, as it didn't verify that the certificate corresponded
to the name before that.

Once you get the right socat command to connect to your server, it is
possible to configure evolution¹ to use a shell command instead of a
normal socket connection, thus solving the problem.



¹ I'm not able to find _how_ to configure it, though. It is possible
that it has no UI, requiring you to edit the files directly. But the
code is there. Hopefully someone will complete this by providing those
instructions.



Best regards

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list

On Sun, 2020-06-21 at 00:15 +0200, Ángel wrote:
> It is possible that it has no UI, requiring you to edit the files
> directly. But the code is there. Hopefully someone will complete this
> by providing those instructions.

        Hi,
that's correct, the options were removed from the UI years ago. Search
for the corresponding .source file in ~/.config/evolution/sources and
change in [Imapx Backend] section the UseShellCommand=false to
UseShellCommand=true and add the special command into the ShellCommand
key. It defaults to this:
ShellCommand=ssh -C -l %u %h exec /usr/sbin/imapd

Such change requires re-run of Evolution.
        Bye,
        Milan

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list