[9fans] now the real reason ... tls mail - Plan9

This is a discussion on [9fans] now the real reason ... tls mail - Plan9 ; I'm following the instructions (I think) so that macos can read mail over imap4d over tls. I have used the openssl command to create cert.pem and imap.pem. I have copied key.pem over and done the factotum dance: I get something ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: [9fans] now the real reason ... tls mail

  1. [9fans] now the real reason ... tls mail

    I'm following the instructions (I think) so that macos can read mail
    over imap4d over tls.

    I have used the openssl command to create cert.pem and imap.pem.

    I have copied key.pem over and done the factotum dance:

    I get something like this (not all of it)
    key proto=sshrsa size=1024 ek=10001 n=etc.

    Should that really be sshrsa?

    error is this:
    roo May 28 18:48:29 76.103.89.146!62583 tls reports recv ClientHello
    version: 0301
    random: 0000000000000000000000000000000084e03cff91e9bedc11 b09821c53f7526
    sid: []
    ciphers: [2f 5 4 35 a ff83 9 ff82 3 8 6 ff80 32 33 34 38 39 3a 16 15
    14 13 12 11 18 1b 1a 17 19 1 ]
    compressors: [00 ]

    roo May 28 18:48:29 76.103.89.146!62583 tls reports ClientHello version 301

    roo May 28 18:48:29 76.103.89.146!62583 tls reports cipher 5,
    compressor 0, csidlen 0

    roo May 28 18:48:29 76.103.89.146!62583 tls reports tlsError:
    factotum_rsa_open: no key matches proto=rsa service=tls role=client

    roo May 28 18:48:29 76.103.89.146!62583 tls reports failed: no key
    matches proto=rsa service=tls role=client

    the proto in factotum is sshrsa, is there any way that can match rsa?

    Even if I change that, the error changes not. Even if I add
    service=tls role=client, the error changes not.

    So, I am working with multiple levels of my own lack of understanding.
    Any clues here?

    I'm even more ocnfused since I can't figure out how macos mail is
    going to deal with this, I never having seen any step where I give it
    a key or certificate or some such. But, then, I have a way of screwing
    this stuff up.

    thanks

    ron

  2. Re: [9fans] now the real reason ... tls mail

    > I have used the openssl command to create cert.pem and imap.pem.

    I think you're making things difficult for yourself by not doing
    everything under Plan 9. I just tried following the hints
    in tlssrv(8), pop3(8) and rsa(8) -- here's the transcript:

    On the server (vt310):

    term% auth/rsagen -t 'service=tls' >key
    term% auth/rsa2x509 'C=UK CN=*.hamnavoe.com' key | auth/pemencode CERTIFICATE >cert
    term% cat key >/mnt/factotum/ctl
    term% cp cert /sys/lib/tls/imap.pem
    term% cat >/bin/service.auth/tcp993 < #!/bin/rc
    exec tlssrv -c/sys/lib/tls/imap.pem -limap4d -r`{cat $3/remote} \
    /bin/ip/imap4d -p -dhamnavoe.com -r`{cat $3/remote} \
    >[2]/sys/log/imap4d

    EOF
    term% chmod +x /bin/service.auth/tcp993
    term% passwd
    Plan 9 Password: ********
    change Plan 9 Password? (y/n) n
    change Inferno/POP password? (y/n) y
    make it the same as your plan 9 password? (y/n) y
    term%

    Note that if vt310 was not already running as an auth server, I would
    also have had to start auth/keyfs and 'aux/listen -t /bin/service.auth tcp'
    (before changing my POP password).

    On the client:

    term% upas/fs -f/imaps/vt310/miller
    upas/fs: server certificate 2DE3574F53CB87FFDBF1068CFA27B8D48586B37B not recognized
    term% cat <>/sys/lib/tls/mail
    x509 sha1=2DE3574F53CB87FFDBF1068CFA27B8D48586B37B vt310
    EOF
    term% upas/fs -f/imaps/vt310/miller
    !Adding key: proto=pass server=vt310 service=imap user=miller
    password: ********
    !
    term% mail
    10 messages
    : term%

    So it seems to have found the mailbox. Then I tried setting up
    an IMAP account on my iMac mail.app to fetch from vt310, ticking
    the 'Use SSL' box in the Accounts>Advanced dialogue. That works too,
    except for giving a warning message "... The root certificate for
    this server could not be verified ... Would you like to continue
    anyway?" I don't know if there's a way to silence this message
    other than getting your certificate signed by a reputable CA.

    -- Richard


  3. Re: [9fans] now the real reason ... tls mail

    * Richard Miller <9fans@hamnavoe.com> [070529 11:20]:
    > So it seems to have found the mailbox. Then I tried setting up
    > an IMAP account on my iMac mail.app to fetch from vt310, ticking
    > the 'Use SSL' box in the Accounts>Advanced dialogue. That works too,
    > except for giving a warning message "... The root certificate for
    > this server could not be verified ... Would you like to continue
    > anyway?" I don't know if there's a way to silence this message
    > other than getting your certificate signed by a reputable CA.


    Apple's mail has a way to import certificates as trusted. The help
    system will tell you what to do.

    Cheers,

    Christian

    --
    You may use my gpg key for replies:
    pub 1024D/47F79788 2005/02/02 Christian Kellermann (C-Keen)

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (OpenBSD)

    iD8DBQFGW/G0XYob3Uf3l4gRAjm1AJ9rPAh+0pEcavi+kHRndMGVjpeBEgCe JpTR
    16dCov9NblxJPWdpEYfA17Q=
    =S0xv
    -----END PGP SIGNATURE-----


  4. Re: [9fans] now the real reason ... tls mail

    > Apple's mail has a way to import certificates as trusted. The help
    > system will tell you what to do.


    You're right, thanks -- try keyword "certificate" in mail.app help.
    The only tricky part (for me) is to make sure the incoming server
    name in Mail>Account matches the CN= pattern you used to generate
    the certificate.


+ Reply to Thread