|
|
Hello,
Does Evolution 3.36.3 support self-signed client certificate
authentication to an IMAP server? The IMAP server I'm connecting to
requires the client to send a certificate and for some reason Evolution
does not appear to send it.
This is Evolution 3.36.3 on Fedora 32. Steps I tried in Preferences:
1) Certificates -> Your Certificates -> import p12 with self-signed CA
and client cert
2) Certificates -> Authorities -> enable all trust options for the
self-signed CA
3) exit evolution and start it again
3) setup imap account with TLS on port 993
4) try to connect
Result: “Peer sent fatal TLS alert: Certificate is required”.
How do I make Evolution send a client cert to the IMAP server?
Thank you!
Best,
Patrick
_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
|
|
On Fri, 2020-06-12 at 16:21 +0200, [hidden email]
wrote:
> 3) exit evolution and start it again
Is this a complete exit? It may not be enough to simply quit Evolution.
Do 'pkill evolution' from the command line.
poc
_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
|
|
Hi Patrick,
Thank you for your reply. Comments inline.
>> 3) exit evolution and start it again
>
> Is this a complete exit? It may not be enough to simply quit Evolution.
> Do 'pkill evolution' from the command line.
I did a pkill evolution and tried to pkill the other evolution-* apps
but they autorestarted.
The pkill did not make a difference. I then looked at what Wireshark
found. It seems (to my untrained eyes) that Evolution sends a
certificate with zero length. Screenshot attached.
Any other ideas?
Best,
Patrick
_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
|
|
On Fri, 2020-06-12 at 18:58 +0200, [hidden email]
wrote:
> Hi Patrick,
>
> Thank you for your reply. Comments inline.
>
> > > 3) exit evolution and start it again
> >
> > Is this a complete exit? It may not be enough to simply quit Evolution.
> > Do 'pkill evolution' from the command line.
>
> I did a pkill evolution and tried to pkill the other evolution-* apps
> but they autorestarted.
Weird. That has never failed for me but maybe something in your DE is
restarting them (I use KDE). Try 'pkill -9 ...' or log out and in
again.
> The pkill did not make a difference. I then looked at what Wireshark
> found. It seems (to my untrained eyes) that Evolution sends a
> certificate with zero length. Screenshot attached.
>
> Any other ideas?
I have no experience with certificates in Evo, so no.
poc
_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
|
|
On Fri, 2020-06-12 at 17:06 +0100, Patrick O'Callaghan wrote:
> On Fri, 2020-06-12 at 16:21 +0200,
> [hidden email]
> wrote:
> > 3) exit evolution and start it again
>
> Is this a complete exit? It may not be enough to simply quit
> Evolution.
> Do 'pkill evolution' from the command line.
Hi,
just a note: it's not needed for the mail part, it runs within the
'evolution' process, in contrast to other parts (Contacts, Calendars,
Tasks, Memos), which talk to evolution-data-server (background D-Bus)
processes.
Bye,
Milan
_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
|
|
On Fri, 2020-06-12 at 18:08 +0100, Patrick O'Callaghan wrote:
> > I did a pkill evolution and tried to pkill the other evolution-*
> > apps but they autorestarted.
>
> Weird. That has never failed for me but maybe something in your DE is
> restarting them (I use KDE). Try 'pkill -9 ...' or log out and in
> again.
Hi,
I'd say if they auto-restarted (their process ID changed), then the
pkill command worked. As being said, it depends on the desktop
environment. For example GNOME's gnome-shell-calendar-server keeps
(re-)starting evolution-calendar-factory whenever it's vanished. This
process requires evolution-source-registry, thus it runs it too. And if
the Birthdays & Anniversaries calendar is used by any client connecting
to the calendar factory also the evolution-addressbook-factory process
is started.
You can use `evolution --force-shutdown`, which kills the processes in
the correct order.
Bye,
Milan
_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
|
|
In reply to this post by Gnome Evolution - General mailing list
On Mon, 2020-06-15 at 10:28 +0200, Milan Crha via evolution-list wrote:
> On Fri, 2020-06-12 at 17:06 +0100, Patrick O'Callaghan wrote:
> > On Fri, 2020-06-12 at 16:21 +0200,
> > [hidden email]
> > wrote:
> > > 3) exit evolution and start it again
> >
> > Is this a complete exit? It may not be enough to simply quit
> > Evolution.
> > Do 'pkill evolution' from the command line.
>
> Hi,
> just a note: it's not needed for the mail part, it runs within the
> 'evolution' process, in contrast to other parts (Contacts, Calendars,
> Tasks, Memos), which talk to evolution-data-server (background D-Bus)
> processes.
Although this may not be relevant to the OP's question, it is sometimes
necessary to restart e-d-s because of authentication issues. I
occasionally have to do this under KDE because (I presume) of a race
condition on logging in, when Evo is autostarted. It only happens
rarely now but at one time it was very irritating.
poc
_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
|
|
On Mon, 2020-06-15 at 09:58 +0100, Patrick O'Callaghan wrote:
> Although this may not be relevant to the OP's question, it is
> sometimes necessary to restart e-d-s because of authentication
> issues. I occasionally have to do this under KDE because (I presume)
> of a race condition on logging in, when Evo is autostarted. It only
> happens rarely now but at one time it was very irritating.
Hi,
ah, I see, I recall some problem with evolution-source-registry losing
connection to libsecret (gnome-keyring-daemon) after login, I think it
was due to the gnome-keyring-daemon being restarted or something, which
libsecret doesn't like. Possibly related to:
https://gitlab.gnome.org/GNOME/libsecret/-/issues/39 Bye,
Milan
_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
|
|
In reply to this post by patrick+evolution-list
On Fri, 2020-06-12 at 16:21 +0200, [hidden email]
wrote:
> Result: “Peer sent fatal TLS alert: Certificate is required”.
>
> How do I make Evolution send a client cert to the IMAP server?
Hi,
unfortunately, Evolution (or libcamel) doesn't support login with
client side certificate. [1]
Maybe it could be worked around with some connection tunnel, but I do
not have any experience with it, thus I cannot help to setup or use it.
I'm sorry.
Bye,
Milan
[1] https://bugzilla.gnome.org/show_bug.cgi?id=711602_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
|
|
On 15-06-2020 11:22, Milan Crha via evolution-list wrote:
> On Fri, 2020-06-12 at 16:21 +0200, [hidden email]
> wrote:
>> Result: “Peer sent fatal TLS alert: Certificate is required”.
>>
>> How do I make Evolution send a client cert to the IMAP server?
>
> Hi,
> unfortunately, Evolution (or libcamel) doesn't support login with
> client side certificate. [1]
Thanks Milan.
Best,
Patrick
_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
|
|
In reply to this post by Gnome Evolution - General mailing list
On 2020-06-15 at 11:22 +0200, Milan Crha via evolution-list wrote:
>
> Maybe it could be worked around with some connection tunnel, but I do
> not have any experience with it, thus I cannot help to setup or use
> it.
> I'm sorry.
> Bye,
> Milan
You should be able to do that with a command like:
socat -v STDIO OPENSSL:<yourserver>:<port>,capath=/etc/ssl/certs,cert=<clientcertificate.pem>,key=<clientcertificate.key>
the key= parameter is optional if already in the cert file
As the CA is self-signed, instead of capath=, you probably should use
cafile=<cafile> instead. Which is specially good if your socat version
is below 1.7.3.0, as it didn't verify that the certificate corresponded
to the name before that.
Once you get the right socat command to connect to your server, it is
possible to configure evolution¹ to use a shell command instead of a
normal socket connection, thus solving the problem.
¹ I'm not able to find _how_ to configure it, though. It is possible
that it has no UI, requiring you to edit the files directly. But the
code is there. Hopefully someone will complete this by providing those
instructions.
Best regards
_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
|
|
On Sun, 2020-06-21 at 00:15 +0200, Ángel wrote:
> It is possible that it has no UI, requiring you to edit the files
> directly. But the code is there. Hopefully someone will complete this
> by providing those instructions.
Hi,
that's correct, the options were removed from the UI years ago. Search
for the corresponding .source file in ~/.config/evolution/sources and
change in [Imapx Backend] section the UseShellCommand=false to
UseShellCommand=true and add the special command into the ShellCommand
key. It defaults to this:
ShellCommand=ssh -C -l %u %h exec /usr/sbin/imapd
Such change requires re-run of Evolution.
Bye,
Milan
_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
|
|