[Dovecot] ssl-proxy: client certificates and crl check

Mon Jun 12 15:42:28 EEST 2006

Hi Timo,

>Yes. Or if it's FAIL_IF_NO_PEER_CERT and the cert is invalid, what
>happens? Does it disconnect immediately? I haven't tried.
>
>  
>
if ssl_verify_client_cert() in ssl-proxy-openssl.c return 0 the 
connection is immediately dropped, if it returns 1 the error (no client 
cert, cert revoked, crl expired etc.) is ignored. But I haven't 
experimented much with it, in particular, i'm not certain if it 
disconnects with SSL_VERIFY_CLIENT_ONCE and no peer certificate, i think 
it should, but i haven't tested it... (i'll test it tonight)

>>Maybe the valid-client-cert-feature 
>>can have a conf.file switch, or a #define in the sourcecode, what's your 
>>opinion?
>>    
>>
>
>Well, at least I want to avoid adding more options to config file.. Why
>do you think it's so much better to disconnect immediately? Do clients
>then give good error messages if that happens?
>  
>
The main reason is that I thought it would be better to drop an unwanted 
connection as soon as possible...

Clients should receive errors like "certificate revoked", but I'll try 
generating some errors and see what really happens...

>One possibility would be to send also the ssl_require_valid_client_cert
>setting to the login process, and disconnect immediately if that's yes.
>One problem with that is however that it's possible to have multiple
>auth blocks with different ssl_require_valid_client_cert values, so the
>code would have to check that all of them have it.
>  
>
Another option is to leave it the way it is, and place a small comment 
in the sourcecode (or Wiki) which explains the other behaviour. ;-)

-- 

groeten,

HenkJan Wolthuis

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dovecot.org/pipermail/dovecot/attachments/20060612/69fa330d/attachment.htm