Bug#800827: cyrus-admin: cyradm SASL EXTERNAL (TLS client certificate) authentication broken

Daniel Gnoutcheff daniel at gnoutcheff.name
Sun Oct 4 02:46:33 UTC 2015 

Package: cyrus-admin
Version: 2.4.17+caldav~beta10-18
Severity: normal

I attempted to setup a cyrus imap server that exclusively uses TLS
client certificate authentication (i.e. with sasl_mech_list: EXTERNAL,
tls_require_cert: true, etc.).  With imtest, this works fine.  However,
when I try to use cyradm, I get:

> gnoutchd at rei:~$ cyradm --tlskey cyrus.pem --server rei.local -u cyrus --auth external
> verify error:num=19:self signed certificate in certificate chain
> cyradm: cannot authenticate to server with external as cyrus
> gnoutchd at rei:~$ 

('cyrus' is declared in imapd.conf as the sole admin user.  cyrus.pem
contains a PEM certificate followed by the corresponding private key.
The certificate has commonName set to 'cyrus'.  It's signed by my
experimental private CA, and imapd is configured to trust said CA.  The
server's certificate is also signed by this private CA, which probably
explains the 'verify error'.  Said error does not appear fatal, as
imtest prints it as well.)

Corresponding logs:

> Oct 03 21:42:14 rei cyrus/imap[6904]: accepted connection
> Oct 03 21:42:14 rei cyrus/imap[6904]: SSL_accept() incomplete -> wait
> Oct 03 21:42:14 rei cyrus/imap[6904]: Doing a peer verify
> Oct 03 21:42:14 rei cyrus/imap[6904]: Doing a peer verify
> Oct 03 21:42:14 rei cyrus/imap[6904]: SSL_accept() succeeded -> done
> Oct 03 21:42:14 rei cyrus/imap[6904]: received client certificate
> Oct 03 21:42:14 rei cyrus/imap[6904]: subject=/CN=cyrus
> Oct 03 21:42:14 rei cyrus/imap[6904]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits new) authenticated as cyrus


For comparison, here's imtest:

> gnoutchd at rei:~$ imtest -t cyrus.pem -a cyrus -u cyrus rei.local -m external
> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED] rei Cyrus IMAP v2.4.17-caldav-beta10-Debian-2.4.17+caldav~beta10-18 server ready
> C: S01 STARTTLS
> S: S01 OK Begin TLS negotiation now
> verify error:num=19:self signed certificate in certificate chain
> TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN QRESYNC SCAN XLIST X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=EXTERNAL SASL-IR COMPRESS=DEFLATE IDLE
> S: C01 OK Completed
> C: A01 AUTHENTICATE EXTERNAL Y3lydXM=
> S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN QRESYNC SCAN XLIST X-REPLICATION URLAUTH URLAUTH=BINARY LOGINDISABLED COMPRESS=DEFLATE IDLE] Success (tls protection) SESSIONID=<cyrus-6945-1443925428-1>
> Authenticated.
> Security strength factor: 256
> ^CC: Q01 LOGOUT
> Connection closed.
> gnoutchd at rei:~$


And corresponding logs:

> Oct 03 22:23:48 rei cyrus/imap[6945]: accepted connection
> Oct 03 22:23:48 rei cyrus/imap[6945]: SSL_accept() incomplete -> wait
> Oct 03 22:23:48 rei cyrus/imap[6945]: Doing a peer verify
> Oct 03 22:23:48 rei cyrus/imap[6945]: Doing a peer verify
> Oct 03 22:23:48 rei cyrus/imap[6945]: SSL_accept() succeeded -> done
> Oct 03 22:23:48 rei cyrus/imap[6945]: received client certificate
> Oct 03 22:23:48 rei cyrus/imap[6945]: subject=/CN=cyrus
> Oct 03 22:23:48 rei cyrus/imap[6945]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits new) authenticated as cy
> Oct 03 22:23:48 rei cyrus/imap[6945]: login: rei.local [10.179.201.75] cyrus EXTERNAL+TLS User logged in SESSIONID=<cyrus-6945-
> Oct 03 22:23:50 rei cyrus/imap[6945]: USAGE cyrus user: 0.156000 sys: 0.004000
> Oct 03 22:23:50 rei cyrus/imap[6945]: Connection reset by peer, closing connection




I've done some digging with gdb, and I suspect that this is what's happening:

- cyradm perl code calls imclient_starttls()

- After successful TLS negotiation (notwithstanding the unfamiliar
  private CA on the server certificate), imclient_starttls() does
    sasl_setprop(imclient->saslconn,
		      SASL_AUTH_EXTERNAL,
		      auth_id);
  with auth_id hardcoded to an empty string.  (Nearby comments suggest
  this code's unfinished.)

- sasl_setprop notices that the given string is empty and sets
  imclient->saslconn->external.auth_id to NULL instead.

- some time later, cyradm perl code calls imclient_authenticate()

- imclient_authenticate() eventually calls external_client_mech_new() to
  try EXTERNAL auth.

- external_client_mech_new() notices that external.auth_id is NULL and
  bails with SASL_NOMECH

- Since my server will only accept EXTERNAL auth, imclient_starttls()
  is forced to bail as well.


-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cyrus-admin depends on:
ii  dpkg                1.17.25
ii  libcyrus-imap-perl  2.4.17+caldav~beta10-18
ii  perl                5.20.2-3+deb8u1

cyrus-admin recommends no packages.

Versions of packages cyrus-admin suggests:
pn  sasl2-bin  <none>

-- no debconf information

More information about the Pkg-Cyrus-imapd-Debian-devel mailing list