O
ozzi4648
Guest
Evertime one of our users connects to port 2086 for webmail our servers asks them to supply a personal certificate. This is not correct! Here is the email i got back from Darren
Hello,
I checked with Nick, the head cpanel developer about this as I've seen a couple other tickets in the system about the same thing. The cause of the empty box is the intermeddiate certificate, currently it's a bug in the way stunnel handles certificate authority chains and the only thing you can do is finalise the cert or click &ok& and move on.
Thanks,
Darren
This is not correct! and does not seem to be a stunnel problem at all.
The only reason that box comes up is because Apache is looking for client certs (Apache is asking the client to supply a personal security certificate from their own machine).
And obviously there is no reason for Apache to be asking for this from me or my users, because we never supply a cert to it, we simply click okay with no cert selected, and still we get through to the webmail.
This means that Apache isn't asking for personal certs for any particular reason and this shouldn't be enabled.
And the main problem I'm having as it says in the title of this ticket, &Macs can't get to SSL webmail&, is that when Macs are asked to supply a personal certificate, IE just fails.
My contention is that there is a way to turn off the client cert authorization.
Because it shouldn't be there anyway!
So you need to find out what is placing
SSLVerifyClient
as an authorization directive on this particular folder and get rid of it.
It could be in a .htaccess, a .sslaccess, the httpd.conf directory declaration for that folder, or whatever handles that port number 2096, if I would have to guess.
Hello,
I checked with Nick, the head cpanel developer about this as I've seen a couple other tickets in the system about the same thing. The cause of the empty box is the intermeddiate certificate, currently it's a bug in the way stunnel handles certificate authority chains and the only thing you can do is finalise the cert or click &ok& and move on.
Thanks,
Darren
This is not correct! and does not seem to be a stunnel problem at all.
The only reason that box comes up is because Apache is looking for client certs (Apache is asking the client to supply a personal security certificate from their own machine).
And obviously there is no reason for Apache to be asking for this from me or my users, because we never supply a cert to it, we simply click okay with no cert selected, and still we get through to the webmail.
This means that Apache isn't asking for personal certs for any particular reason and this shouldn't be enabled.
And the main problem I'm having as it says in the title of this ticket, &Macs can't get to SSL webmail&, is that when Macs are asked to supply a personal certificate, IE just fails.
My contention is that there is a way to turn off the client cert authorization.
Because it shouldn't be there anyway!
So you need to find out what is placing
SSLVerifyClient
as an authorization directive on this particular folder and get rid of it.
It could be in a .htaccess, a .sslaccess, the httpd.conf directory declaration for that folder, or whatever handles that port number 2096, if I would have to guess.
