~soywod/pimalaya#198: 
neverest: tls client cert support?

interesting project! i wonder if you have plans to implement TLS/x509 client certs support for neverest?

Status
REPORTED
Submitter
~anarcat
Assigned to
No-one
Submitted
3 months ago
Updated
3 months ago
Labels
No labels applied.

~soywod 3 months ago

I wonder if you have plans to implement TLS/x509 client certs support for neverest?

To be honest I do not know enough about certs to answer your question. All I know is that Neverest uses rustls, which seems to already uses x509 according to this search:

https://github.com/search?q=repo%3Arustls%2Frustls%20x509&type=code

Which email clients did/do you use with x509 support?

~anarcat 3 months ago

it's pretty common. offlineimap, mbsync, thunderbird, and k9 mail support TLS client certificates, i believe.

re rustls, i believe you're right and it does support client certs. that search, however, just finds generic x509 routines which could as well be for client side authentication of servers, which is not exactly the same thing (kind of the opposite, really).

but a quick look at the docs seem to confirm my suspicion that it should be fine, e.g.

https://github.com/rustls/rustls/blob/f57d4b79549ac97a77b52d7dd5189477c72eb20f/examples/src/bin/tlsclient-mio.rs#L6

~soywod 3 months ago

but a quick look at the docs seem to confirm my suspicion that it should be fine, e.g.

Could you try to connect to your server? And then run neverest doctor to check that all is fine?

Antoine Beaupré 3 months ago · edit

On 2024-04-19 20:15:00, ~soywod wrote:

but a quick look at the docs seem to confirm my suspicion that it should be fine, e.g.

Could you try to connect to your server? And then run neverest doctor to check that all is fine?

Oh well, that certainly won't work: I would need some client-side configuration to tell neverest where to find my client certificate!

-- Thoughtcrime does not entail death: thoughtcrime IS death. - Winston Smith, 1984

~soywod 3 months ago

Could you try to connect to your server? And then run neverest doctor to check that all is fine?

Oh well, that certainly won't work: I would need some client-side configuration to tell neverest where to find my client certificate!

If I do not mistake, we also use rustls-native-certs:

$ cargo tree -p imap imap v3.0.0-alpha.13 └── rustls-connector v0.19.2 ├── rustls v0.22.3 │ ├── … ├── rustls-native-certs v0.7.0 │ ├── … ├── … └── …

And from their doc:

rustls-native-certs allows rustls to use the platform's native certificate store when operating as a TLS client.

On all platforms, the SSL_CERT_FILE environment variable is checked first.

https://github.com/rustls/rustls-native-certs

Could you try Neverest or Himalaya with SSL_CERT_FILE? If it works then we should definitely put this in the FAQs.

-- Regards Clément DOUIN https://soywod.me

Antoine Beaupré 3 months ago · edit

On 2024-04-20 06:21:35, ~soywod wrote:

rustls-native-certs allows rustls to use the platform's native certificate store when operating as a TLS client.

On all platforms, the SSL_CERT_FILE environment variable is checked first.

https://github.com/rustls/rustls-native-certs

Could you try Neverest or Himalaya with SSL_CERT_FILE? If it works then we should definitely put this in the FAQs.

Oh neat!

Er. Well I guess this is the part where I must shamefully admit I haven't actually used neverest at all, just lurking around and curious. :)

But that certainly removes a blocker for me, hopefully!

#a.

Ou bien Dieu voudrait supprimer le mal, mais il ne le peut pas Ou bien Dieu pourrait supprimer le mal, mais il ne le veut pas. - Sébastien Faure

~soywod 3 months ago

I guess this is the part where I must shamefully admit I haven't actually used neverest at all, just lurking around and curious.

I may ask for a little favour then: whenever you have time, could you please try to install Himalaya, set up an IMAP account and just check if you can list your envelopes using the SSL_CERT_FILE environment variable?

https://pimalaya.org/himalaya/cli/latest/

I guess you are not the first (nor the last) to use a custom cert, and I would love to see if the above solution works, in order to add it to the FAQ section.

-- Regards Clément DOUIN https://soywod.me

Register here or Log in to comment, or comment via email.