[Dovecot] Dovecot 2.1.4 and client certificates

Бранко Мајић branko at majic.rs
Sat Apr 14 16:30:06 EEST 2012


Version: 2.1.4
OS: Gentoo stable/amd64
OpenSSL version: 1.0.0h

I'm having a slight problem with the client certificates in Dovecot
2.1.4. I've set-up the client certificate verification/authentication,
and it seems that Dovecot is choking on the trustchain with CRL's that
I'm providing to it (attached to this mail).

When I enable the client authentication using certificates, and pick
the certificate from my client (I've also tried it out with gnutls-cli
as well), I get the following errors in Dovecot's log:

imap-login: Info: Invalid certificate: Different CRL scope: /CN=Example
Root CA/O=Example Inc./C=RS

As per the wiki2 configuration page, I've set up the truststore in the
following order (everything PEM-encoded):

Example Person CA Certificate
Example Person CA CRL
Example Root CA Certificate
Example Root CA CRL

Person CA is the one issuing the end-entity certificates, of course.
I'm also attaching the certificate I've used for testing.

On additional note, the imap-login process also got stuck writing out
the error message to the log file, refusing to die when receiving the
SIGTERM (had to send SIGKILL).

A similar set-up used to work under Dovecot in Debian Squeeze (version
1.2.15). The same file copied over to Dovecot 2.1.4's configuration
won't work.

I've compiled Dovecot by hand, and I'm not running it in any kind of
chroot (this is a developer set-up so I could add support for
rfc822Name username extraction I mentioned a week or so ago without
messing around as root).

Best regards

-- 
Branko Majic
Jabber: branko at majic.rs
Please use only Free formats when sending attachments to me.

Бранко Мајић
Џабер: branko at majic.rs
Молим вас да додатке шаљете искључиво у слободним форматима.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trustchain.pem
Type: application/x-x509-ca-cert
Size: 6640 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20120414/f8e43204/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: branko_majic.crt
Type: application/x-x509-ca-cert
Size: 1700 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20120414/f8e43204/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20120414/f8e43204/attachment-0008.bin>


More information about the dovecot mailing list