dovecot-2.1: login proxy: Added ssl_client_cert/key settings.
dovecot at dovecot.org
dovecot at dovecot.org
Fri Nov 18 21:31:37 EET 2011
details: http://hg.dovecot.org/dovecot-2.1/rev/700e92b43c74
changeset: 13725:700e92b43c74
user: Timo Sirainen <tss at iki.fi>
date: Fri Nov 18 21:31:15 2011 +0200
description:
login proxy: Added ssl_client_cert/key settings.
The client cert is used sent to proxy destination server when SSL is used.
diffstat:
src/login-common/login-settings.c | 4 +++
src/login-common/login-settings.h | 2 +
src/login-common/ssl-proxy-openssl.c | 38 +++++++++++++++++++++++++++++------
3 files changed, 37 insertions(+), 7 deletions(-)
diffs (111 lines):
diff -r dafa6dc27398 -r 700e92b43c74 src/login-common/login-settings.c
--- a/src/login-common/login-settings.c Fri Nov 18 16:22:44 2011 +0200
+++ b/src/login-common/login-settings.c Fri Nov 18 21:31:15 2011 +0200
@@ -33,6 +33,8 @@
DEF(SET_STR, ssl_cipher_list),
DEF(SET_STR, ssl_protocols),
DEF(SET_STR, ssl_cert_username_field),
+ DEF(SET_STR, ssl_client_cert),
+ DEF(SET_STR, ssl_client_key),
DEF(SET_BOOL, ssl_verify_client_cert),
DEF(SET_BOOL, auth_ssl_require_client_cert),
DEF(SET_BOOL, auth_ssl_username_from_cert),
@@ -63,6 +65,8 @@
.ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL",
.ssl_protocols = "!SSLv2",
.ssl_cert_username_field = "commonName",
+ .ssl_client_cert = "",
+ .ssl_client_key = "",
.ssl_verify_client_cert = FALSE,
.auth_ssl_require_client_cert = FALSE,
.auth_ssl_username_from_cert = FALSE,
diff -r dafa6dc27398 -r 700e92b43c74 src/login-common/login-settings.h
--- a/src/login-common/login-settings.h Fri Nov 18 16:22:44 2011 +0200
+++ b/src/login-common/login-settings.h Fri Nov 18 21:31:15 2011 +0200
@@ -15,6 +15,8 @@
const char *ssl_cipher_list;
const char *ssl_protocols;
const char *ssl_cert_username_field;
+ const char *ssl_client_cert;
+ const char *ssl_client_key;
bool ssl_verify_client_cert;
bool auth_ssl_require_client_cert;
bool auth_ssl_username_from_cert;
diff -r dafa6dc27398 -r 700e92b43c74 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c Fri Nov 18 16:22:44 2011 +0200
+++ b/src/login-common/ssl-proxy-openssl.c Fri Nov 18 21:31:15 2011 +0200
@@ -993,20 +993,17 @@
}
}
-static EVP_PKEY *ssl_proxy_load_key(const struct login_settings *set)
+static EVP_PKEY *
+ssl_proxy_load_key(const char *key, const char *password)
{
EVP_PKEY *pkey;
BIO *bio;
- const char *password;
char *dup_password;
- bio = BIO_new_mem_buf(t_strdup_noconst(set->ssl_key),
- strlen(set->ssl_key));
+ bio = BIO_new_mem_buf(t_strdup_noconst(key), strlen(key));
if (bio == NULL)
i_fatal("BIO_new_mem_buf() failed");
- password = *set->ssl_key_password != '\0' ? set->ssl_key_password :
- getenv(MASTER_SSL_KEY_PASSWORD_ENV);
dup_password = t_strdup_noconst(password);
pkey = PEM_read_bio_PrivateKey(bio, NULL, pem_password_callback,
dup_password);
@@ -1030,8 +1027,11 @@
static void ssl_proxy_ctx_use_key(SSL_CTX *ctx, const struct login_settings *set)
{
EVP_PKEY *pkey;
+ const char *password;
- pkey = ssl_proxy_load_key(set);
+ password = *set->ssl_key_password != '\0' ? set->ssl_key_password :
+ getenv(MASTER_SSL_KEY_PASSWORD_ENV);
+ pkey = ssl_proxy_load_key(set->ssl_key, password);
if (SSL_CTX_use_PrivateKey(ctx, pkey) != 1)
i_fatal("Can't load private ssl_key: %s", ssl_key_load_error());
EVP_PKEY_free(pkey);
@@ -1227,6 +1227,28 @@
pool_unref(&ctx->pool);
}
+static void
+ssl_proxy_client_ctx_set_client_cert(SSL_CTX *ctx,
+ const struct login_settings *set)
+{
+ EVP_PKEY *pkey;
+
+ if (*set->ssl_client_cert == '\0')
+ return;
+
+ if (ssl_proxy_ctx_use_certificate_chain(ctx, set->ssl_client_cert) != 1) {
+ i_fatal("Can't load ssl_client_cert: %s",
+ ssl_proxy_get_use_certificate_error(set->ssl_client_cert));
+ }
+
+ pkey = ssl_proxy_load_key(set->ssl_client_key, NULL);
+ if (SSL_CTX_use_PrivateKey(ctx, pkey) != 1) {
+ i_fatal("Can't load private ssl_client_key: %s",
+ ssl_key_load_error());
+ }
+ EVP_PKEY_free(pkey);
+}
+
static void ssl_proxy_init_client(const struct login_settings *set)
{
STACK_OF(X509_NAME) *xnames;
@@ -1235,6 +1257,8 @@
i_fatal("SSL_CTX_new() failed");
xnames = ssl_proxy_ctx_init(ssl_client_ctx, set);
ssl_proxy_ctx_verify_client(ssl_client_ctx, xnames);
+
+ ssl_proxy_client_ctx_set_client_cert(ssl_client_ctx, set);
}
void ssl_proxy_init(void)
More information about the dovecot-cvs
mailing list