Today I've been trying to get dovecot (1.0 rc2) to use certificates for client side authentication. If my memory serves right, beta8 had no problems with it (although it was some time ago and on different machine).
Similar setup works perfectly well for postfix (for authentication that is, on the same machine). Originally I thought I overdid some certificate settings (keyUsage, nsCertType, etc.), so for the sake of testing I've simplified the setup to bare minimum - 1 simple selfsigned root certificate, another 1 for dovecot, and the last one for the user. Unfortunately, the results were the same.
Configuration:
OpenBSD 3.9 (stable branch), i386, no nfs or afs (only local ffs) standard OpenSSL 0.9.7g (+ patches) dovecot 1.0 rc2, compiled from sources, with sysconfdir set to /etc and with disabled pam
Tested with the most recent opera and mozilla thunderbird, using pop3s. (note: both clients work with postfix, authetnicating only by certificates). They do send requested certificates.
Important dovecot configuration:
ssl_cert_file = /etc/ssl/ca_ppgk/certs/pop3_crt.pem (common name - pop3.ppgk.com.pl, valid dns name) ssl_key_file = /etc/ssl/ca_ppgk/private/pop3_key.pem ssl_ca_file = /etc/ssl/ca_ppgk/ca_crt.pem ssl_verify_client_cert = yes verbose_ssl = yes auth_verbose = yes
ssl_require_client_cert = yes ssl_username_from_cert = (tested both with yes and no, with common name of user certificate set both as username@domain or as bare username)
The rest is just pretty standard, using passwd for both user auth and userdb, with plain and login mechanisms allowed.
I tested "few" sets of certificates (for ca, server and user) with configurations ranging from quite specific ones (with basicConstraints, nsCertType, keyUsage, extendedKeyUsage fields set) to very simple ones (basicConstraints + typical stuff like subjectKeyIdentifier). All of them gave the same results with dovecot (postfix didn't complain with any of them either).
This is what I get in logs, when trying to pull mail using opera or mozilla:
Jul 7 14:33:47 ppgk-wa dovecot: Dovecot v1.0.rc2 starting up Jul 7 14:33:57 ppgk-wa dovecot: pop3-login: Invalid certificate: /C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=adminms@ppgk.com.pl/emailAddress=adminms@ppgk.com.pl Jul 7 14:33:57 ppgk-wa dovecot: pop3-login: Invalid certificate: /C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=RootCA/emailAddress=admin@ppgk.com.pl Jul 7 14:33:57 ppgk-wa dovecot: pop3-login: Valid certificate: /C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=RootCA/emailAddress=admin@ppgk.com.pl Jul 7 14:33:57 ppgk-wa dovecot: pop3-login: Valid certificate: /C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=adminms@ppgk.com.pl/emailAddress=adminms@ppgk.com.pl Jul 7 14:34:05 ppgk-wa dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3 secured lip=192.168.100.77 rip=192.168.100.75 resp=<hidden> Jul 7 14:34:05 ppgk-wa dovecot: auth(default): PLAIN(?,192.168.100.75): Client didn't present valid SSL certificate Jul 7 14:34:05 ppgk-wa dovecot: auth(default): client out: FAIL 1 reason=Client didn't present valid SSL certificate Jul 7 14:34:05 ppgk-wa dovecot: auth(default): client in: AUTH 2 LOGIN service=POP3 secured lip=192.168.100.77 rip=192.168.100.75 resp=<hidden> Jul 7 14:34:05 ppgk-wa dovecot: auth(default): LOGIN(?,192.168.100.75): Client didn't present valid SSL certificate Jul 7 14:34:05 ppgk-wa dovecot: auth(default): client out: FAIL 2 reason=Client didn't present valid SSL certificate Jul 7 14:34:05 ppgk-wa dovecot: auth(default): client in: AUTH 3 PLAIN service=POP3 secured lip=192.168.100.77 rip=192.168.100.75 resp=<hidden> Jul 7 14:34:05 ppgk-wa dovecot: auth(default): PLAIN(?,192.168.100.75): Client didn't present valid SSL certificate Jul 7 14:34:05 ppgk-wa dovecot: auth(default): client out: FAIL 3 reason=Client didn't present valid SSL certificate Jul 7 14:34:07 ppgk-wa dovecot: pop3-login: Disconnected: method=PLAIN, rip=192.168.100.75, lip=192.168.100.77, TLS
Those two "Invalid certificate" lines, followed immediately by two "Valid certificate" lines seem suspicious.
Is there some configuration detail I might have missed or messed, or is it (probably) a bug ?