[Dovecot] SSL Client Certificate Support

Timo Sirainen tss at iki.fi
Sun Oct 5 22:01:05 EEST 2003


On Sun, 2003-10-05 at 12:52, Bert Koelewijn wrote:
> Timo Sirainen wrote:
> > I've thought about it before myself a few times. I'm not against such
> > patch, but I don't think I'll implement it myself anytime soon.
> Is there anything I can do to give this patch a higher priority?

Well..

Personally I'd really like to get the current CVS code fully working as
intended. Then there's some long standing bugs/features (eg. recent
counters). Then some NFS safety problems. All those should have been
fixed long ago.

But it's also possible to buy features, support and whatever from
Procontrol. I just don't really like that idea (well, support anyway)
before 1.0 is released. Currently it's 85EUR/h if you really want it
done :)

> > Doing this also worries me a bit. Wasn't the recent security hole in
> > OpenSSL just in the client certificate parsing? SSL cert authentication
> > would have to rely on OpenSSL (or GNUTLS).
> 
> OpenSSL have been audited many times, by many experts. If you trust 
> dovecot, I think you can trust OpenSSL too.

Sendmail has also been audited many times by many experts and holes
still keep showing up.

OpenSSL sources aren't nearly as bad as sendmail, but they are pretty
dirty. Auditing dirty code is very time consuming and it's too easy to
overlook problems. I've thought about auditing OpenSSL a few times, but
I always got tired after reading just a few files since they were full
of code that looked suspicious.

Also currently there's only dovecot-auth and master processes in Dovecot
which have to be free of security holes to avoid pre-login security
holes. That's not a lot of code. Using OpenSSL for authentication brings
in tons of more code that has to be relied on.




More information about the dovecot mailing list