[Dovecot] imap-login hangs after receiving revoked SSL certificate

Алексей Прокопчук alexpro at homelan.lg.ua
Tue Dec 3 00:41:26 EET 2013


Hello again.
02.12.2013 18:19, Timo Sirainen пишет:
> What OpenSSL version are you using?
>
> This looks like the same issue:
>
> http://rt.openssl.org/Ticket/Display.html?id=3090&user=guest&pass=guest
>
> Where the fix is in:
>
> http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4b26645c1a71cf9ce489e4f79fc836760b670ffe
>
> Not sure if Dovecot should be doing something different here, or maybe working around that bug. I think Postfix has the same problem.

I used openssl version 1.0.1c when wrote first message. Following your
advice, I tried to apply patch from fix above on openssl-1.0.1e
Now no hangs but dovecot assumes any user certificate as invalid. And
very interesting. First dovecot reports that certificate is invalid, and
immediately thereafter reports that same certificate is valid. And
finally reports "client sent an invalid cert". I have own test CA based
on EJBCA. Server and all client certificates which I tried to test were
issued by this CA. Freshest CRL is embedded into ca.pem file which used
as ca certificate in dovecot.conf.
Here is the log:

------------------------------------------------------
Dec  3 00:10:25 mail dovecot: imap-login: Invalid certificate: Different
CRL scope: /CN=AP inc. root certification authority/O=AP inc./C=UA
Dec  3 00:10:25 mail dovecot: imap-login: Invalid certificate: unable to
get certificate CRL: /CN=AP inc. root certification authority/O=AP inc./C=UA
Dec  3 00:10:25 mail dovecot: imap-login: Valid certificate: /CN=AP inc.
root certification authority/O=AP inc./C=UA
Dec  3 00:10:25 mail dovecot: imap-login: Valid certificate: /O=AP
inc./OU=Admins/CN=Alexey Prokopchuk/UID=alexpro
Dec  3 00:10:25 mail dovecot: imap-login: Disconnected (client sent an
invalid cert): user=<>, method=PLAIN, rip=192.168.200.55,
lip=192.168.200.1, TLS, session=<K6FgcpTsAgDAqMg3>
------------------------------------------------------

Now I'm quite confused: apache works with these certificates as
expected: accepts valid and refuses revoked. But with dovecot which
yesterday accepts at least one certificate (which I revoked for testing)
today rejects all others from same CA.

Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)



More information about the dovecot mailing list