Open Bug 749230 Opened 12 years ago Updated 2 years ago

TLS Certificate authentication violates IMAP specification (RFC 3501)

Categories

(MailNews Core :: Networking: IMAP, defect)

Product:
MailNews Core
Component:
Networking: IMAP
Type:
defect

Tracking

(Not tracked)

People

(Reporter: gmeyer, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.165 Safari/535.19

Steps to reproduce:

I have a courier IMAP server installed on Ubuntu 11.10 that requires TLS and client certificates for the purpose of authentication and identity.  Courier is configured to accept the EXTERNAL authentication method.

I have a client certificate associated to my mail account in Thunderbird 11.0.1.  I attempted to retrieve messages from my account on startup and subsequently by clicking "Get Mail"


Actual results:

Thunderbird successfully connects over SSL (port 993) and the mutual certificate exchange is successful.  Thunderbird then request the SASL EXTERNAL authentication method by sending the following command (traced with wireshark and SSL decoding using Courier's private key):

1 authenticate EXTERNAL Z20yNTUy

Thunderbird is attempting to pass an initial SALS response (using a BASE64 representation of the account username) with the requested SALS authentication method.  Although this is inline with RFC2222, the IMAP specification (RFC3501) specifically states the authentication command does not support sending an initial response.

-----------------  FROM RFC3501 ---------------

The AUTHENTICATE command does not support the optional "initial response" feature of [SASL].  Section 5.1 of [SASL] specifies how to handle an authentication mechanism which uses an initial response.
------------------------------------------------

Courier IMAP is rejecting the EXTERNAL authentication due to non compliance of syntax with the following response:

1 NO Login failed.


Expected results:

Thunderbird should only be sending the following IMAP command:

1 authenticate EXTERNAL

Thunderbird should then be waiting for a continuation command from the IMAP server, and then either send an empty initial response if the certificate should represent the account identity, or send a BASE64 representation of the username for the account identity.
What is the capabilities string of the IMAP server?
RFC 4959 <http://tools.ietf.org/html/rfc4959> allows for an initial response if SASL-IR is present.
CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=EXTERNAL AUTH=PLAIN ACL ACL2=UNION
Indeed, it looks like we should be checking for SASL-IR first.
Status: UNCONFIRMED → NEW
Component: General → Networking: IMAP
Ever confirmed: true
OS: Mac OS X → All
Product: Thunderbird → MailNews Core
QA Contact: general → networking.imap
Hardware: x86 → All
Version: 11 → Trunk
Just as a point of clarification, is it against common practice to use only the certificate to identify the subject and not provide the username?  I could two potential uses cases and options:

1. The client certificate contains also contains the subject, so the initial challenge could be an empty string (let the server figure out how it to extract the subject from the certificate).

2. The client certificate is only used to authenticate, but the username would be used as the identity (current functionality).

Would it be a reasonable request to allow the account configuration to choose if the certificate should be used as the identity instead of supplying a username?  Stop me if I'm off my rocker.
FWIW, the code is in
http://mxr.mozilla.org/comm-central/source/mailnews/imap/src/nsImapProtocol.cpp#5616

As for adding the capability, that needs the "bitflags" patch in bug 558659.
Same is true for other auth schemes (in the same function)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.