[Dovecot] Authentication by certificats (a bug or my misconfiguration)
HenkJan Wolthuis
hj.wolthuis at kaw.nl
Sat Jul 8 14:16:25 EEST 2006
Hello Michal,
> Today I've been trying to get dovecot (1.0 rc2) to use certificates
> for client side authentication. If my memory serves right, beta8
> had no problems with it (although it was some time ago and on different
I'm not using .rc2 yet, i'm using dovecot-20060612 with clientcerts / crls,
I'm not sure, but maybe this is the problem:
After beta8 CRLchecking was added, ssl_ca_file should be a file with the
ca_cert followed by a crl. (certificate revocation list)
If this is the problem, you can:
1) generate a crl, add the crl to ca_cert.pem (crl in PEM format)
or
2) comment out the crlchecking code in ssl_proxy_openssl.c, it's in the
ssl-proxy_init() function, between #if OPENSSL_VERSION_NUMBER>=
0x00907000L and the matching #endif.. and recompile
One other thing to notice: ssl_proxy_get_peer_name now returns the
CommonName from the client certificate, and not the whole DN!
> Those two "Invalid certificate" lines, followed immediately by two
> "Valid certificate" lines seem suspicious.
>
i think that's because ssl-verify_client_cert() returns 1. I've seen the
same behaviour here. Change it to preverify_ok, then it should log
verification error messages, (and drops the connection in case of a
invalid client certificate)
success!
--
groeten,
HenkJan Wolthuis
More information about the dovecot
mailing list