[Dovecot] 1.0rc26: ssl_verify_client=yes ?
Leroy van Logchem
leroy.vanlogchem at wldelft.nl
Thu Mar 8 14:51:32 EET 2007
Q1)
I can't get ssl_verify_client_cert=yes working.
The ssl key and cert are signed using our CA.
Also the ssl_ca_file has a CRL appended (no revokes yet).
Expected behavior:
Stop the SSL (the client doesn't have a cert installed)
Current behavior:
Mail clients accepts SSL and login succeeds.
(both Evolution and Thunderbird).
My bad? Please advise.
Q2)
The next step, if dovecot blocks the client because
of the verify_client_cert, how to create certs for OE,
Evolution and Thunderbird?
Thanks,
Leroy
Server type: Linux Red Hat ES 4.4 (32bit)
# ./dovecot -n
# /drbd/imap/dovecot-1.0.rc26/etc/dovecot.conf
log_path: /drbd/imap/dovecot-1.0.rc26/var/dovecot.log
protocols: imaps
listen: a.b.c.39:143
ssl_listen: a.b.c.39:993
ssl_ca_file:/drbd/imap/dovecot-1.0.rc26/etc/certs/CA/cacert_with_crl.pem
ssl_cert_file:/drbd/imap/dovecot-1.0.rc26/etc/certs/CA/imaps-signedcertificate.pem
ssl_key_file:/drbd/imap/dovecot-1.0.rc26/etc/certs/CA/imaps-privatekey.pem
ssl_verify_client_cert: yes
verbose_ssl: yes
login_dir: /drbd/imap/dovecot-1.0.rc26/var/run/dovecot/login
login_executable: /drbd/imap/dovecot-1.0.rc26/libexec/dovecot/imap-login
verbose_proctitle: yes
mail_extra_groups: mail
mail_location: mbox:~/:INBOX=/var/mail/%u
mmap_disable: yes
mbox_write_locks: fcntl dotlock
imap_client_workarounds: delay-newmail outlook-idle
auth default:
mechanisms: plain login digest-md5 cram-md5
verbose: yes
passdb:
driver: passwd-file
args: /drbd/imap/dovecot-1.0.rc26/etc/userdb_extra
passdb:
driver: pam
userdb:
driver: passwd-file
args: /drbd/imap/dovecot-1.0.rc26/etc/userdb_extra
userdb:
driver: passwd
Details (LONG) follow:
# cat cacert_with_crl.pem
-----BEGIN CERTIFICATE-----
MIICxzCCAjCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBSMRwwGgYDVQQKExNXTCBE
ZWxmdCBIeWRyYXVsaWNzMQ4wDAYDVQQHEwVEZWxmdDEVMBMGA1UECBMMWnVpZCBI
b2xsYW5kMQswCQYDVQQGEwJOTDAeFw0wNzAzMDgxMjE1MzhaFw0xNzAzMDUxMjE1
MzhaMFIxHDAaBgNVBAoTE1dMIERlbGZ0IEh5ZHJhdWxpY3MxDjAMBgNVBAcTBURl
bGZ0MRUwEwYDVQQIEwxadWlkIEhvbGxhbmQxCzAJBgNVBAYTAk5MMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCp4s55PxpcEgk1KhAJ3DA/DXKHBtUoAE3K273t
1nJzuAujA0mfVtpinDdpreHp53bVGSN5xIDZ+Ljy8wW7lPB5YSwBQFbIoFx/6NkI
QPkYeVZ0NrFC1g2tZRD4ObRkqFuApr60+NokY+e3KuInnCdAf0Itb4VVolMvWccz
vqdJBQIDAQABo4GsMIGpMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFPynIoyRPF2s
UiGO+3RQr2pThXzQMHoGA1UdIwRzMHGAFPynIoyRPF2sUiGO+3RQr2pThXzQoVak
VDBSMRwwGgYDVQQKExNXTCBEZWxmdCBIeWRyYXVsaWNzMQ4wDAYDVQQHEwVEZWxm
dDEVMBMGA1UECBMMWnVpZCBIb2xsYW5kMQswCQYDVQQGEwJOTIIBADANBgkqhkiG
9w0BAQQFAAOBgQAtRPC7laBPuOMAein4ZXjxSia6l7XjpAI/A2bXFvbV1ulNzbno
KYbeqfv6zp1SLWrKvwGeu4DrHLe098ATADqLWANqNqfI5t40nND1rsfGmjGTOJ7v
/Q53AaTXEBn2D1ZIqGMUuFOXv0BFi1U2BmPyTt6hlZ1D7wTERxo0UGXFXw==
-----END CERTIFICATE-----
-----BEGIN X509 CRL-----
MIIBFzCBgTANBgkqhkiG9w0BAQQFADBSMRwwGgYDVQQKExNXTCBEZWxmdCBIeWRy
YXVsaWNzMQ4wDAYDVQQHEwVEZWxmdDEVMBMGA1UECBMMWnVpZCBIb2xsYW5kMQsw
CQYDVQQGEwJOTBcNMDcwMzA4MTIyODE5WhcNMDcwNDA3MTIyODE5WjANBgkqhkiG
9w0BAQQFAAOBgQBnXWqvR9oS674EyNHYoOmv0KeFcVqLOUpR7bVGbMYvCsMc56yy
E473NULD0EL0BZFMgGdN05e53KLnOoLiuvFuhCAxZW7o7f72lJC+wegFwROp7OOc
aKJ5lumaZ86Xb0uM8N/yJ/5xxCubrt1TYGQYPTjoQo4rJccpFy8aeqNDrA==
-----END X509 CRL-----
]# cat imaps-signedcertificate.pem
-----BEGIN CERTIFICATE-----
MIICHTCCAYYCAQEwDQYJKoZIhvcNAQEEBQAwUjEcMBoGA1UEChMTV0wgRGVsZnQg
SHlkcmF1bGljczEOMAwGA1UEBxMFRGVsZnQxFTATBgNVBAgTDFp1aWQgSG9sbGFu
ZDELMAkGA1UEBhMCTkwwHhcNMDcwMzA4MTIyMDA2WhcNMDgwMzA3MTIyMDA2WjBc
MQswCQYDVQQGEwJOTDEVMBMGA1UECBMMWnVpZCBIb2xsYW5kMRwwGgYDVQQKExNX
TCBEZWxmdCBIeWRyYXVsaWNzMRgwFgYDVQQDEw9pbWFwLndsZGVsZnQubmwwgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALlEnCZu2o7LGp1x1rwBY2nZJH49L7by
F8GVRpnoi7wnvXV11Iy7JUd0qbyBDWNn6EiBJ2YMemSmceVpXtyxI6wbBqmq0kgn
1VmglFUcYXRx6mkXuMx17OXpqSB9jNU22ldn20h/Xr1yhJ8W/RpohG9u6jebFiF3
qJXdyjXJqPSBAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAVwOhL3FICQeMJOSxil2S
K1TiN+6zjrVDq7L7t7myOkWJA6hrZcPWQZfCV5ZoWaG8nREdesKAQBRvkT6uwmcJ
3pYpc/iBTtmwCpEVjfv0Ki9VwXpWuRo0FcQkrc8MVbclwnkGmtPAJAY7Dz7U/uBf
w4N5cj1pfHltVEeD9Jb9tBo=
-----END CERTIFICATE-----
# cat imaps-privatekey.pem
-----BEGIN RSA PRIVATE KEY-----
<better not include this :)>
-----END RSA PRIVATE KEY-----
More information about the dovecot
mailing list