Friday, April 16, 2010

Getting GNOME Evolution to offer a client certificate for IMAP SSL/TLS

GNOME Evolution isn't noted for its client certificate support. Entries in the bug tracker about it have rotted for years, and it has absolutely no acknowledged support whatsoever. Most other mail clients have had client cert support for years if not decades.

Unfortunately, Evolution is quite attractive in other ways - calendar integration, LDAP address books, etc. Unlike Thunderbird (especially when large images are involved) it also has acceptable performance over remote X11 connections.

So - I'd rather like to be able to use Evolution, but it's client support ... isn't.

It turns out, though, that Evolution uses the Network Security Services library from Netscape/Mozilla . It's used, among other things, for IMAP SSL/TLS support. This library does support client certificates; after all, Thunderbird and Firefox support client certificates and they do their crypto through NSS.

Is it not then possible to introduce a client certificate at the libnss level, so Evolution doesn't even know it's doing client certificate negotiation during its hand-off to NSS for SSL/TLS setup?

Why, yes, it is, and it takes one line of code in camel-tcp-stream-ssl.c to do it.

camel-tcp-stream-ssl.c:
- /*SSL_GetClientAuthDataHook (sslSocket, ssl_get_client_auth, (void *) certNickname);*/
+ SSL_GetClientAuthDataHook (ssl_fd, (SSLGetClientAuthData)&NSS_GetClientAuthData, NULL );

Because Evolution its self still has no idea about client certificates, if the server demands one and you don't have one installed you'll still get a useless error message instead of an appropraite prompt to install a client certificate. Just like Thunderbird and most other client-cert supporting apps. However, if you install a client cert by importing it into the Certificates section of the preferences, evolution (or more accurately libnss) will present it and use it when the server asks for it.


Update late 2009: 

Committed in stable (gnome 2.28.1+) http://git.gnome.org/cgit/evolution-data-server/commit/?h=gnome-2-28&id=87238717ceb0a158a00c76fc07c6e27c769c2cf0
Committed in master (gnome 2.29.1+) http://git.gnome.org/cgit/evolution-data-server/commit/?id=429a106d101bf205ba0c8ee8f94a818327c2d736

Update mid 2010:

This code has now hit shipping Evolution versions in up-to-date distros like Ubuntu 10.04 and Fedora 13. I've tested it in Ubuntu 10.04 and verified that client cert support works now. Hooray!

8 comments:

  1. Hi Craig,

    I'm getting desperate here...
    Somehow I still cannot get this to work, although it works fine in Thunderbird. It looks like Evolution is not offering my client certificate to the server to authenticate.
    I have both tried Evolution 2.28.3 (Lucid Lynx) & 2.30.1 (Fedora 13).
    Are you sure this should work in Evolution ?

    Cheers,

    Eric
    eric.donkersloot@gmail.com

    ReplyDelete
  2. Is your cert installed in the NSS that evo is using? Evolution has its own private NSS store, and doesn't use the NSS store used by Thunderbird.

    It seems to keep it in .evolution/{cert8.db,key4.db} on my Ubuntu 10.04 machine. I haven't verified that evo is actually working with client certs lately as I got thoroughly sick of waiting for it and Thunderbird 3 fixed most of the issues I had with tbird, but I'll give it another go in a while and verify.

    ReplyDelete
  3. Works for me with Evolution 2.28.3 on Ubuntu 10.04 . I just imported my client certificate into Evolution's certificate store (in Preferences, the same one you use to import certificates for S/MIME) and, since my trivial patch is included in Evo 2.28.3, it worked.

    Do you have your certs in Evo's cert store? If they're correctly installed the cert and key will be in .evolution/cert8.db and .evolution/key4.db respectively, and they'll be visible in the Certificates panel of the preferences.

    You can also use certutil to check. eg:

    $ certutil -K -d .evolution/
    certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
    Enter Password or Pin for "NSS Certificate DB":
    < 0> rsa e47bffc2XXXXXXXXXXXXXXXXXXX87b24d7c0cd6f4 Imported Certificate

    see http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.

    ReplyDelete
  4. Looks good to me, maybe the problem lies elsewhere:

    ericd@edge64:~$ certutil -K -d .evolution/
    certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
    Enter Password or Pin for "NSS Certificate DB":
    < 0> rsa 0d8de13be97c6bd813f07983557c0b40d47c6f70 Imported Certificate

    ReplyDelete
  5. The imap server listens to port 993

    The following settings do not work:

    Server: my.company.xx
    Username: myname

    Use Secure Connection: SSL Encryption
    Authentication Type: tried them all

    Error I get: 'input/output error'

    ReplyDelete
  6. Interesting. You're sure it's the right client cert and is accepted by the server?

    Both Evo and Thunderbird use Mozilla NSS, so they're using the same underlying crypto library and it's unlikely to be some weird incompatibility or quirk.

    I wonder if for some reason evolution-data-server is using a different nss store on your machine? What EXACT Evolution version and distro are you testing with?

    If you're still trying, one thing to attempt is to fire up wireshark and get a packet trace of the client/server SSL negotiation. This will help you identify what phase SSL negotiation is failing at.

    ReplyDelete
  7. And tbird is definitely set up for SSL, not IMAP+TLS on port 143?

    Some servers will support client certs for SSL but not TLS or vice versa.

    Knowing what the server is might help, though truly the best thing to do is just fire up wireshark.

    ReplyDelete
  8. Oh, see also: https://bugzilla.gnome.org/show_bug.cgi?id=585301

    ReplyDelete