TLS communication director -> backend with X.509 cert checks?

Timo Sirainen tss at iki.fi
Tue Oct 13 19:02:59 UTC 2015


On 13 Oct 2015, at 21:44, Heiko Schlittermann <hs at schlittermann.de> wrote:
> 
> Hello,
> 
> using Dovecot 2.2.9 and a setup with directors and backends.
> The communication between directors and backends needs to be TLS
> secured.
> 
> The director config contains a list of hostnames for the backends.
> (implicit list because of multiple A/AAAA records for a single hostname
> or explicit list of several host names)
> 
> On connection setup from a client the director connects to the
> selected backend. But it seems (not checked in the source yet),
> that for SSL certificate verification the director doesn't know the
> original host name anymore. The certificate's CN gets compared to
> the IP address the director connects to.

Right. The hostnames are lost immediately at director startup. I've never really thought about needing this functionality for director, since they're usually in the same trusted network with backends..

> Should I create certificates with IP address in SAN? (Any hint about the
> correct syntax for the openssl.conf is welcome). Or is there any chance
> that this is fixed already or will be fixed in the near future or even
> better, that it's my fault?

I guess that could work for now. No idea about how to do such certificates.



More information about the dovecot mailing list