[horde] Activesync auth problems with GIT since X.509 certificate commit ?

Tomi Orava Tomi.Orava at ncircle.nullnet.fi
Mon Sep 9 18:18:17 UTC 2013 

On 09/09/2013 08:56 PM, Michael J Rubinsky wrote:
> Moving back to the list after receiving config.
> 
> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
> 
>> On 09/09/2013 08:00 PM, Michael J Rubinsky wrote:
>>>
>>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>>
>>>> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>>>>
>>>>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I'd rather not post my conf.php for public view, so I'll send
>>>>>> to you personally.
>>>>>>
>>>>>>>>
>>>>>>>> Has anyone else seen authentication problems with mobile
>>>>>>>> devices (android & wp8) after the commit:
>>>>>>>>
>>>>>>>> commit fe9ec485c31bef4566f6451c9aafd8c780c41cd9 Author:
>>>>>>>> Michael J Rubinsky <mrubinsk at horde.org> Date:   Sat Aug 31
>>>>>>>> 15:07:17 2013 -0400
>>>>>>>>
>>>>>>>> Fully support X509 certificates for ActiveSync.
>>>>>>>>
>>>>>>>> Allow separate configuration for ActiveSync Authentication
>>>>>>>> methods. Emulates Exchange server's ability to accept
>>>>>>>> either: HTTP Basic only, client certificate only, or to
>>>>>>>> require both HTTP Basic AND client certificates. If
>>>>>>>> configured to require both, horde-wide Auth driver is used
>>>>>>>> to authenticate using the HTTP Basic credentials, and the
>>>>>>>> X509 driver is used to to authenticate with the client
>>>>>>>> certificate. Obviously requires webserver config/support
>>>>>>>> for the certificates.
>>>>>>>>
>>>>>>>>
>>>>>>>> The Web interface works just fine with the imap login auth,
>>>>>>>> but it seems that I'm missing something from the
>>>>>>>> configuration as none of the mobile devices are able to
>>>>>>>> login anymore (I'm using private certificate with my own ca
>>>>>>>> certificate).
>>>>>>>>
>>>>>>>> Everything is back to normal if I revert back to the
>>>>>>>> previous commit.
>>>>>>>>
>>>>>>>> Regards, Tomi Orava
>>>>>>>
>>>>>>> So, you are trying to use X509 certificates with your device?
>>>>>>> Can you post your configuration?
>>>>>>
>>>>>> Well, this is just a normal ssl setup, although I'd like to use
>>>>>> also the client certificates if the Samsung Galaxy S3 wouldn't
>>>>>> disable those from the account.
>>>>>>
>>>>>> I did not see any new configuration blocks for the auth setup
>>>>>> or something.
>>>>>>
>>>>>> Regards, Tomi Orava
>>>>>
>>>>>
>>>>> Are you running the most up to date git code?
>>>>
>>>> Yes, just updated before trying again after yesterday:
>>>>
>>>> I'm on commit: 0fa5b22537e55728862b83d1f3d4f70cc0c7731d
>>>
>>> Not sure. There was a problem in
>>> Horde_Core_ActiveSync_Driver::authenticate() for a short time after
>>> the initial commit was made, but that was fixed. Anything in the
>>> logs? This works fine for me here. Just to be clear, we are talking
>>> about normal authentication from the activesync client and the
>>> webserver itself does not require certificates to be authenticated,
>>> right?
>>
>> The only logs are:
>>
>> 2013-09-09T20:14:31+03:00 DEBUG: HORDE [horde] Load config file (conf.php; app: horde) [pid 18319 on line 409 of "/usr/local/share/git/horde/framework/Core/lib/Horde.php"]
>> 2013-09-09T20:14:31+03:00 NOTICE: HORDE [horde] Login failed from ActiveSync client for user kaisa. [pid 18319 on line 567 of "/usr/local/share/git/horde/framework/ActiveSync/lib/Horde/ActiveSync.php"]
>> 2013-09-09T20:14:31+03:00 DEBUG: HORDE [horde] Max memory usage: 22282240 bytes [pid 18319 on line 566 of "/usr/local/share/git/horde/framework/Core/lib/Horde/Registry.php"]
>> 2013-09-09T20:14:32+03:00 DEBUG: HORDE Load config file (conf.php; app: horde) [pid 19382 on line 409 of "/usr/local/share/git/horde/framework/Core/lib/Horde.php"]
>>
>>
>> Ok, now when you mention about it ...
>> Yes, you can't access my horde installation without
>> username & password (basic authentication), except these files:
>>
>>         <Files rpc.php>
>>             Order Allow,Deny
>>             Allow from all
>>             Satisfy Any
>>         </Files>
>>
>>         <Files fb.php>
>>             Order Allow,Deny
>>             Allow from all
>>             Satisfy Any
>>         </Files>
>>
>> This has never caused any problems in here, though.
> 
> This shouldn't matter, as far as activesync goes. rpc.php is the only page it interfaces with.
> 
> 
>> I'm using the EAS 14.1 and using Nexus 7, Galaxy S3 and Lumia 820
>> all with the latest firmwares.
>>
>> If I take the X509 commit into use, none of those is able to login
>> via activesync, normal web pages work just fine though (as they should).
>>
>> The horde authentication system is using imap server for password checking
>> (cyrus imapd), in case this matters.
> 
> Do you see the authentication attempt in the imap server log?

No, normal https logins work fine, but according to imap debug log,
none of the activesync connections ever reach to the imap login phase at all.

Tomi O.

More information about the horde mailing list