[Dovecot] ssl-proxy: client certificates and crl check
Timo Sirainen
tss at iki.fi
Mon Jun 12 13:34:37 EEST 2006
On Mon, 2006-06-12 at 12:30 +0200, HenkJan Wolthuis wrote:
> >> - ssl_verify_client_cert now returns 0 in case of an invalid cert. was
> >> there a reason why it always returned 1?
>
> > Yes. ssl_verify_client_cert=yes doesn't require the certificate to be
> > valid. Only ssl_require_valid_client_cert=yes in auth settings does
> > that. This allows for some people to authenticate with certificates and
> > others to authenticate the usual way. So I dropped this part of your
> > patch.
>
> OK, you also changed SSL_VERIFY_FAIL_IF_NO_PEER_CERT back to
> SSL_VERIFY_CLIENT_ONCE, same reason?
Yes. Or if it's FAIL_IF_NO_PEER_CERT and the cert is invalid, what
happens? Does it disconnect immediately? I haven't tried.
> Maybe the valid-client-cert-feature
> can have a conf.file switch, or a #define in the sourcecode, what's your
> opinion?
Well, at least I want to avoid adding more options to config file.. Why
do you think it's so much better to disconnect immediately? Do clients
then give good error messages if that happens?
One possibility would be to send also the ssl_require_valid_client_cert
setting to the login process, and disconnect immediately if that's yes.
One problem with that is however that it's possible to have multiple
auth blocks with different ssl_require_valid_client_cert values, so the
code would have to check that all of them have it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20060612/548f8d73/attachment.pgp
More information about the dovecot
mailing list