iPad Mail client - IMAP with X.509 client certificates?
Short version: Does anyone know if X.509 client certificates are supposed to work on the iPad for IMAP mail? Am I wasting my time trying to get a feature that doesn't work to work? If the built-in mail app doesn't support IMAP with X.509 client certs (ie: they only work with Microsoft Exchange ActiveSync accounts), are there any 3rd party apps that do?
Only iOS 5.1 or newer is of interest; 5.1 is the version I've been testing with.
I'm the admin of a network that's required by policy to use X.509 client certificates to protect all external communication, including our IMAP mail server (Cyrus IMAPd) and SMTP server (postfix). Neither will accept a connection without the client presenting a valid X.509 client certificate. Disabling the client certificate requirement is not an option for me, and we aren't permitted to tunnel traffic in via VPN for similar reasons.
We now have iPad users who want to connect to our network, and are finding the iPad to be a bit of a problem.
For users on desktop machines we usually install Thunderbird, as it has rock solid IMAP with excellent client certificate support; it "just works" and is the same to support on every platform. This isn't an option for iPad.
Unfortunately the iPad's built-in Mail app doesn't seem to cope with client certificates for IMAP. I can install our org's root cert and the user's client cert using the iPhone Configuration Utility. Both are shown as "verified" in Settings->General->Profiles. The iPad then accepts our server as trusted and omits any warnings about the server's identity not being verified.
Mail still fails to send a client certificate when one is demanded so the server terminates the handshake. It doesn't prompt the user to select one, nor does it automatically send the client certificate it has installed for the user that matches the CA certificate presented by the server.
Examination of the traffic flow between client and server shows that the TLS negotiation fails when the iPad responds with an empty set of client certificates when client certificates are demanded by the server. See below.
When connected to the internal network over encrypted WiFi, where no client cert is required to get mail, the device connects and downloads mail just fine. External access (public WiFi or over 3G) fails, whether I use the IMAPs port 993 with "Use SSL" checked or the IMAP+TLS port 143 with or without "Use SSL" checked. Other than the apparent lack of client certificate negotiation support for IMAP, it's perfect.
References to client certificate support in the documentation for Apple's "Enterprise support" only appear where Microsoft Exchange ActiveSync is discussed, and where Cisco VPN support is discussed.
There are a few questions on Apple's discussion forums, but no recent ones and no useful answers. I'd link to them, but Apple's forums are "down for maintenance" at the moment.
As a workaround I can probably set up a locked down VPN using the iPad's automatic VPN connection support to talk to a client-cert authed IPSec VPN that can only talk to the IMAP and SMTP servers on the appropriate ports plus DNS, nothing else. It'd be a pretty gruesome hack to have to perpetrate though.
BTW, the client<->server conversation is:
- C -> S TLSv1 Client Hello
- S -> C TLSv1 Server Hello
- S -> C TLSv1 Certificate, Certificate Request, Server Hello Done (Sends server cert, signing root cert, DN of accepted client cert signer which happens to be the same as the root that signed the server cert)
- C -> S TLSv1 Certificate (empty set of certificates, zero certs included)
- S -> C TLSv1 Handshake failure
In other words, the server says "this is me, I expect you to provide a certificate signed by authority to prove who you are" and the client replies with "Um, my papers are in this empty envelope here. Look, a cassowary!"
The client has the root cert installed, and has a client cert installed that has the signer DN demanded by the server.
The question appears to be specific to using X.509 for authentication to an IMAP service, which isn't supported by iOS. S/MIME email encryption and signatures can be performed on iOS, but the authentication to mail services will still use username/password over SSL or TLS.
See the comments above where the asker reports that they never got this to work.
So on iOS 5.1, X.509 certificates will not easily be of use to secure email on iOS without some engineering effort and perhaps not at all.