Version: (using KDE KDE 3.5.3)
Installed from: Ubuntu Packages
Some mail servers require client certificate authentication before allowing a user to send or receive email. KMail currently has no support for this. Ideal behavior: see Thunderbird for ease of use: the user needs to only import a certificate, and Thunderbird handles the rest.
KDE 3.5's Kmail supports this. All you need to do is set Konqueror's authentication settings to ask when a client certificate is requested, then Kmail will ask this question too, and remember.
Unfortunately, this feature is still lacking from KDE4, so this is my feature wishlist: Add this to KDE4.2
Still valid .?
Of course this is still valid, the SSL client certificate support for KDE 4 is still completely non-existent.
What do you want ? which type of widget etc ?
How to test it ?
Ok, the "type of widget" is fairly easy: The SSL certificate management in KDE 4 now has only one tab, for CAs (certificate authorities). It needs another tab for the user's client certificates (e.g. title "your certificates"). The other functionality, viewing, activating/deactivating, deleting, importing is the same as for CAs. A user may have several different client certificates (e.g. one signed by his company for SSL access to the company intranet, and another one from CACert for accessing www.cacert.org).
Client certificates differ from CA certificates significantly, as they contain a private key and are protected by a passphrase.
There probably needs to be a third tab, which contains the list of client certificates remembered for each server, to manage that.
The next thing to do is to add client certificate in the KDE SSL layer - the server will sent a client request, and the SSL layer should present the user the list of active client certificates to select one - with a "remember for this server" option, and an input field for the certificate's pass phrase (store that in kwallet when the user wants to).
How to test? For kmail, set up a dovecot IMAP server, and set
ssl_ca_file = /etc/dovecot/<your-ca>.pem
ssl_verify_client_cert = yes
in dovecot.conf. <your-ca> in this case can be a self-signed certificate, which you also use to generate your client certificate.
For konqueror, enable client certificate validation in a test web server. For lighty, use
ssl.verifyclient.activate = "enable"
in the SSL configuration setup, for Apache
There are a number of client certificate SSL howtos on the net, just google for them, and try those things with Firefox, Chrome, and Konqueror.
Not sure if this is solved. Bernd can you try kmail2 and report back please? If the wish is still valid, the product needs to be changed to kmail2.
Doesn't work at all. Dawit Alemayehu <adawit kde org> wrote:
"The reason why this does not work is because the code that sets the personal
certificates is disabled in the lower levels of KIO. See
This is a bit of a chicken-and-egg problem here: Nobody uses client authentication, because no server provides it, you need a certificate, nobody knows how to do that securely (including the CAs ;-), *and* the client software doesn't support it either.
Dan Bernstein is right: Security should not be a choice for the user. It should be always on, no opt-out possible. But this here is SSL, not CurveCP ;-).
Yes - please
I also really would like to have the possibility to use client certificates for authentication.
I'm just setting up dovecot/postfix with certs and own CA, so if I can assist with client-certificates, test-accounts for my server - let me know.
*** This bug has been confirmed by popular vote. ***
Thank you for your feature request. Kmail1 is currently unmaintained so we are closing all wishes. Please feel free to reopen a feature request for Kmail2 if it has not already been implemented.
Thank you for your understanding.
Cloned to #305396
I hope this one will not last six years ;-)
Please put your votes on the new one - Thanks
(In reply to comment #12)
> Cloned to #305396
> I hope this one will not last six years ;-)
> Please put your votes on the new one - Thanks
No need to clone: reassigning this one to kmail2, closing the new one.
*** Bug 305396 has been marked as a duplicate of this bug. ***
In general, KDE 4.x has no proper client certificate handling. KDE 3 had, and the issue is a general kio issue - you may need client certificate handling in a number of SSL-based communications, *and* to sign/encrypt S/MIME mails. The latter works through Kleopatra, the former doesn't.
There are some other bug reports concerning this issue, would be nice if someone takes the time to implement it.
Any news/plans on that issue?
Would be cool if it get some attention.
So still nothing on this? I'd love to use KMail but security is important to me and client certificates are how I've set my business infrastructure up. I can't disable them just for the email server, it doesn't make sense.
I've got both postfix (submission port) and dovecot (imap) configured such that client must *always* present a valid certificate. This is tested and works very well against both Thunderbird and FairEmail.
If you're interested in implementing client certificate authentication in Kmail and need a certificate (along with an imap & smtp account) for testing please let me know.