[Dovecot] 1.0rc26: ssl_verify_client=yes ?
Apostolis Papagiannakis
apap at ccf.auth.gr
Fri Mar 9 11:40:34 EET 2007
>
> Date: Thu, 08 Mar 2007 18:13:48 +0200
> From: Timo Sirainen <tss at iki.fi>
> Subject: Re: [Dovecot] 1.0rc26: ssl_verify_client=yes ?
>
> On Thu, 2007-03-08 at 16:40 +0100, Steffen Kaiser wrote:
>
>>
>> > On Thu, 8 Mar 2007, Timo Sirainen wrote:
>> >
>>
>>>> > >> Q2)
>>>> > >> The next step, if dovecot blocks the client because
>>>> > >> of the verify_client_cert, how to create certs for OE,
>>>> > >> Evolution and Thunderbird?
>>>>
>>> > >
>>> > > I don't think most clients support SSL client certificates at all,
>>> > > although I know some people are using them with some clients.. Maybe
>>> > > someone could add a list of the clients supporting them into wiki.
>>>
>> >
>> > Er, a dummy question, I guess:
>> > Can you use client certs to login into Dovecot?
>> > Aka can use the certs as "passdb"?
>>
>
> Yes. It will still need some passdb, but you could use null password and
> ssl_username_from_cert=yes settings in which case it doesn't matter what
> user/password is used to log in.
>
> But it circumvents Dovecot's login/auth process security model, so I
> don't recommend it that much. Maybe some day I'll make login process
> forward the client cert to dovecot-auth which does the actual
> verification.
>
I have successfully tested ssl_username_from_cert and found no real
problem, apart from the fact that
dovecot "username" takes the value of the certificate "CN" attribute ,
instead of the email attribute (in
my case "Apostolos Papayanakis" instead of apap/ at /ccf.auth.gr).
Everything else works as expected (eg,
further userdb lookups based on certificate CN).
Our University has issued a few thousand certificates with subjects
such as
"/C=GR/O=Aristotle University of Thessaloniki/OU=Network Operations
Center/CN=Apostolos Papayanakis/emailAddress=apap/ at /ccf.auth.gr",
that are used for administrative purposes. We would be very happy to use
them as an alternative
method of IMAP/POP3 authentication. However certificate CNs are not
unique (e.g. "John Smith") and we
would like to avoid constantly patching dovecot to use the email (or
other) attribute from the certificate.
I think replacing
NID_commonName
with
NID_pkcs9_emailAddress ( or NID_subject_key_identifier, or
NID_subject_alt_name)
in login-common/ssl-proxy-openssl.c, line 527 would suffice.
(X509_NAME_get_text_by_NID(X509_get_subject_name(x509), NID_commonName,
buf, sizeof(buf)) < 0).
Maybe I should post a complete patch if Timo is interested.
Apostolis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5876 bytes
Desc: S/MIME Cryptographic Signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20070309/e5867588/attachment.bin
More information about the dovecot
mailing list