[Dovecot] ssl-proxy: client certificates and crl check
HenkJan Wolthuis
hj.wolthuis at kaw.nl
Tue Jun 13 17:50:52 EEST 2006
Hi Timo,
> Well, at least I want to avoid adding more options to config file.. Why
> do you think it's so much better to disconnect immediately? Do clients
> then give good error messages if that happens?
Tested with thunderbird 1.0.2 and a revoked user certificate, on connect
I got the following results:
cvs-nightly-20060613 asks for a password, returns "login to server
localhost failed" and asks for the password again.
modified cvs-nightly-20060613 (ssl_verify_client_cert() returning
'preverify_ok' instead of '1') returns "could not establish an encrypted
connection with localhost because your certificate has been revoked" ,
then disconnects. The error messages on the client side are more useful
in this case. (imho).....
> One possibility would be to send also the ssl_require_valid_client_cert
> setting to the login process, and disconnect immediately if that's yes.
ok....
> One problem with that is however that it's possible to have multiple
> auth blocks with different ssl_require_valid_client_cert values, so the
> code would have to check that all of them have it.
I'm afraid I don't understand... In the config-file there's only "auth default {}"
The wikipage MultipleAuth doesn't seem related to this. Can you explain?
PS:
I also modified the i_info call in ssl_verify_client_cert() to:
i_info('"Invalid certificate: %s %s",
X509_verify_cert_error_string(ctx->error),buf);
This way the verification error is also logged.
--
groeten,
HenkJan Wolthuis
More information about the dovecot
mailing list