[Bug 131083] Add client certificate authentication to KMail
Bernd Paysan
bernd.paysan at gmx.de
Thu Sep 15 14:28:22 BST 2011
https://bugs.kde.org/show_bug.cgi?id=131083
--- Comment #5 from Bernd Paysan <bernd paysan gmx de> 2011-09-15 13:28:21 ---
Ok, the "type of widget" is fairly easy: The SSL certificate management in KDE
4 now has only one tab, for CAs (certificate authorities). It needs another tab
for the user's client certificates (e.g. title "your certificates"). The other
functionality, viewing, activating/deactivating, deleting, importing is the
same as for CAs. A user may have several different client certificates (e.g.
one signed by his company for SSL access to the company intranet, and another
one from CACert for accessing www.cacert.org).
Client certificates differ from CA certificates significantly, as they contain
a private key and are protected by a passphrase.
There probably needs to be a third tab, which contains the list of client
certificates remembered for each server, to manage that.
The next thing to do is to add client certificate in the KDE SSL layer - the
server will sent a client request, and the SSL layer should present the user
the list of active client certificates to select one - with a "remember for
this server" option, and an input field for the certificate's pass phrase
(store that in kwallet when the user wants to).
How to test? For kmail, set up a dovecot IMAP server, and set
ssl_ca_file = /etc/dovecot/<your-ca>.pem
ssl_verify_client_cert = yes
in dovecot.conf. <your-ca> in this case can be a self-signed certificate, which
you also use to generate your client certificate.
For konqueror, enable client certificate validation in a test web server. For
lighty, use
ssl.verifyclient.activate = "enable"
in the SSL configuration setup, for Apache
SSLVerifyClient require
SSLVerifyDepth 2
There are a number of client certificate SSL howtos on the net, just google for
them, and try those things with Firefox, Chrome, and Konqueror.
--
Configure bugmail: https://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list