Bug 131083

Summary: Add client certificate authentication to KMail
Product: [Applications] kmail2 Reporter: pc451
Component: cryptoAssignee: kdepim bugs <kdepim-bugs>
Status: CONFIRMED ---    
Severity: wishlist CC: annma, bernd.paysan, dan, Denny.Seniazi, feth, linus, luigi.toscano, martin+kde, maxi, montel, olekgutjwr, regi.hops, writeonce
Priority: NOR    
Version: 4.9.0   
Target Milestone: ---   
Platform: OpenSUSE   
OS: Linux   
Latest Commit: Version Fixed In:

Description pc451 2006-07-19 20:33:22 UTC
Version:            (using KDE KDE 3.5.3)
Installed from:    Ubuntu Packages
OS:                Linux

Some mail servers require client certificate authentication before allowing a user to send or receive email. KMail currently has no support for this. Ideal behavior: see Thunderbird for ease of use: the user needs to only import a certificate, and Thunderbird handles the rest.
Comment 1 Bernd Paysan 2009-02-08 23:14:31 UTC
KDE 3.5's Kmail supports this. All you need to do is set Konqueror's authentication settings to ask when a client certificate is requested, then Kmail will ask this question too, and remember.

Unfortunately, this feature is still lacking from KDE4, so this is my feature wishlist: Add this to KDE4.2
Comment 2 Laurent Montel 2011-09-15 10:44:45 UTC
Still valid .?
Comment 3 Bernd Paysan 2011-09-15 11:18:00 UTC
Of course this is still valid, the SSL client certificate support for KDE 4 is still completely non-existent.
Comment 4 Laurent Montel 2011-09-15 12:23:14 UTC
What do you want ? which type of widget etc ?
How to test it ?
Comment 5 Bernd Paysan 2011-09-15 13:28:21 UTC
Ok, the "type of widget" is fairly easy: The SSL certificate management in KDE 4 now has only one tab, for CAs (certificate authorities). It needs another tab for the user's client certificates (e.g. title "your certificates"). The other functionality, viewing, activating/deactivating, deleting, importing is the same as for CAs. A user may have several different client certificates (e.g. one signed by his company for SSL access to the company intranet, and another one from CACert for accessing www.cacert.org).

Client certificates differ from CA certificates significantly, as they contain a private key and are protected by a passphrase.

There probably needs to be a third tab, which contains the list of client certificates remembered for each server, to manage that.

The next thing to do is to add client certificate in the KDE SSL layer - the server will sent a client request, and the SSL layer should present the user the list of active client certificates to select one - with a "remember for this server" option, and an input field for the certificate's pass phrase (store that in kwallet when the user wants to).

How to test? For kmail, set up a dovecot IMAP server, and set

ssl_ca_file = /etc/dovecot/<your-ca>.pem
ssl_verify_client_cert = yes

in dovecot.conf. <your-ca> in this case can be a self-signed certificate, which you also use to generate your client certificate.

For konqueror, enable client certificate validation in a test web server. For lighty, use

ssl.verifyclient.activate = "enable"

in the SSL configuration setup, for Apache

SSLVerifyClient require
SSLVerifyDepth  2

There are a number of client certificate SSL howtos on the net, just google for them, and try those things with Firefox, Chrome, and Konqueror.
Comment 6 Olek Gut 2011-11-23 05:39:12 UTC
[solved]
Comment 7 Anne-Marie Mahfouf 2011-11-23 08:21:47 UTC
Not sure if this is solved. Bernd can you try kmail2 and report back please? If the wish is still valid, the product needs to be changed to kmail2.
Comment 8 Bernd Paysan 2011-11-23 14:35:48 UTC
Doesn't work at all. Dawit Alemayehu <adawit kde org> wrote:

"The reason why this does not work is because the code that sets the personal
certificates is disabled in the lower levels of KIO. See
https://bugs.kde.org/show_bug.cgi?id=167668."

This is a bit of a chicken-and-egg problem here: Nobody uses client authentication, because no server provides it, you need a certificate, nobody knows how to do that securely (including the CAs ;-), *and* the client software doesn't support it either.

Dan Bernstein is right: Security should not be a choice for the user.  It should be always on, no opt-out possible.  But this here is SSL, not CurveCP ;-).
Comment 9 regi.hops 2011-11-25 22:12:20 UTC
Yes - please
I also really would like to have the possibility to use client certificates for authentication.

I'm just setting up dovecot/postfix with certs and own CA, so if I can assist with client-certificates, test-accounts for my server - let me know.

Cheers
Regi
Comment 10 regi.hops 2012-03-24 10:11:52 UTC
*** This bug has been confirmed by popular vote. ***
Comment 11 Myriam Schweingruber 2012-08-18 08:05:02 UTC
Thank you for your feature request. Kmail1 is currently unmaintained so we are closing all wishes. Please feel free to reopen a feature request for Kmail2 if it has not already been implemented.
Thank you for your understanding.
Comment 12 regi.hops 2012-08-18 17:32:07 UTC
Cloned to #305396
I hope this one will not last six years ;-)
Please put your votes on the new one - Thanks
Comment 13 Luigi Toscano 2012-08-18 22:36:38 UTC
(In reply to comment #12)
> Cloned to #305396
> I hope this one will not last six years ;-)
> Please put your votes on the new one - Thanks

No need to clone: reassigning this one to kmail2, closing the new one.
Comment 14 Luigi Toscano 2012-08-18 22:37:25 UTC
*** Bug 305396 has been marked as a duplicate of this bug. ***
Comment 15 Bernd Paysan 2012-08-18 22:43:54 UTC
In general, KDE 4.x has no proper client certificate handling. KDE 3 had, and the issue is a general kio issue - you may need client certificate handling in a number of SSL-based communications, *and* to sign/encrypt S/MIME mails.  The latter works through Kleopatra, the former doesn't.

There are some other bug reports concerning this issue, would be nice if someone takes the time to implement it.
Comment 16 Linus Lotz 2012-08-19 08:14:45 UTC
*** This bug has been confirmed by popular vote. ***
Comment 17 regi.hops 2013-04-27 17:10:07 UTC
Any news/plans on that issue?
Would be cool if it get some attention.
Comment 18 Dan O. 2016-07-27 16:57:24 UTC
So still nothing on this? I'd love to use KMail but security is important to me and client certificates are how I've set my business infrastructure up. I can't disable them just for the email server, it doesn't make sense.
Comment 19 writeonce 2020-08-31 00:39:32 UTC
I've got both postfix (submission port) and dovecot (imap) configured such that client must *always* present a valid certificate. This is tested and works very well against both Thunderbird and FairEmail.

If you're interested in implementing client certificate authentication in Kmail and need a certificate (along with an imap & smtp account) for testing please let me know.