<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi,<br>
<br>
<font color="#000000">I've attached a new version of my patch against
ssl_proxy-openssl.c which:<br>
- disconnects when no clientcertificate<span id="mail-highlight-id"
style="background-color: yellow;"></span> is presented
<br>
- checks the clientcertificate against the crl for our root cert. (so
you can't use a revoked client cert.)
<br>
- returns the CommonName from the client cert. in
ssl_proxy_get_peer_name (this way it's easier to use dovecot as
imap-proxy with a passwd-like userdb + ssl_require_client_cert +
ssl_username_from_cert, it "binds" the emailuser to the
clientcertificate<span id="mail-highlight-id"
style="background-color: yellow;"></span>, so a user / clientcert. can
access only the account from the userdb)
<br>
<br>
</font><font color="#000000">In order to use it, the CAfile must be a
file which contains the CAcertificate (pem format) followed by the CRL
(also in pem format). (servercert and the clientcerts are signed with a
self-signed rootcert)
<br>
</font>
<font color="#000000"><br>
changes in this version:<br>
- found the proper way to extract the CommonName from a certificate!<br>
- code cleanup<br>
<br>
</font>there are some issues with the patch:
<br>
- it needs openssl > 0.9.7. the way I do CRL loading/checking is new
in 0.9.7. There are some examples on the openssl-devel list, but not
much documentation. <br>
- ssl_verify_client_cert now returns 0 in case of an invalid cert. was
there a reason why it always returned 1?<br>
- ssl_proxy_get_peer_name is changed, code depending on this function
returning "X509_NAME_oneline" can break.. (at the moment it is only
used for the ssl_username_from_cert config option, i think)<br>
<br>
I'd like comments / ideas etc. <br>
<pre class="moz-signature" cols="72">
--
groeten,
HenkJan Wolthuis
</pre>
</body>
</html>