Cyrus IMAPd always asks for a client certificate. This can be unnerving for users running Thunderbird as their mail client which have a user certificate installed and are thus always asked whether they want to send it. (There is no way to tell Thunderbird not to send a client certificate, you can only select which one.)
- TLS Interposer
- Eliminate BEAST, CRIME, Lucky13, RC4, SSLv3 weaknesses from binary/legacy applications
- Upgrade ejabberd to the latest TLS security [UPDATE#2, 2014-06-05]
- Securing fetchmail with improved TLS parameters
- Using TLS Interposer with OpenSSL 0.9.8g (Debian Lenny)
- Disable client certificate requests for Cyrus IMAP
There is currently no way to disable this behavior in Cyrus IMAP without manually changing the code and compiling it. This is only for the adventurous among us.
But it is also only for the brave and those having too much time on their hand: Having your local installation forces you to keep track yourself of any bug fixes or security updates that might appear in the future.
To use this, download TLS Interposer, compile it (
make), and place the following line somewhere where it affects the starting of Cyrus master process (
cyrmaster). I like putting it in
export LD_PRELOAD=/usr/local/lib/libtlsinterposer.so export TLS_INTERPOSER_OPTIONS=-ccert
The first line makes sure that in all the Cyrus processes, TLS Interposer will be loaded. The second line tells TLS Interposer to disable client certificate requests.
More information on TLS Interposer is available here.