Hello again. 02.12.2013 18:19, Timo Sirainen пишет:
What OpenSSL version are you using?
This looks like the same issue:
http://rt.openssl.org/Ticket/Display.html?id=3090&user=guest&pass=guest
Where the fix is in:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4b26645c1a71cf9c...
Not sure if Dovecot should be doing something different here, or maybe working around that bug. I think Postfix has the same problem.
I used openssl version 1.0.1c when wrote first message. Following your advice, I tried to apply patch from fix above on openssl-1.0.1e Now no hangs but dovecot assumes any user certificate as invalid. And very interesting. First dovecot reports that certificate is invalid, and immediately thereafter reports that same certificate is valid. And finally reports "client sent an invalid cert". I have own test CA based on EJBCA. Server and all client certificates which I tried to test were issued by this CA. Freshest CRL is embedded into ca.pem file which used as ca certificate in dovecot.conf. Here is the log:
Dec 3 00:10:25 mail dovecot: imap-login: Invalid certificate: Different CRL scope: /CN=AP inc. root certification authority/O=AP inc./C=UA Dec 3 00:10:25 mail dovecot: imap-login: Invalid certificate: unable to get certificate CRL: /CN=AP inc. root certification authority/O=AP inc./C=UA Dec 3 00:10:25 mail dovecot: imap-login: Valid certificate: /CN=AP inc. root certification authority/O=AP inc./C=UA Dec 3 00:10:25 mail dovecot: imap-login: Valid certificate: /O=AP inc./OU=Admins/CN=Alexey Prokopchuk/UID=alexpro Dec 3 00:10:25 mail dovecot: imap-login: Disconnected (client sent an invalid cert): user=<>, method=PLAIN, rip=192.168.200.55, lip=192.168.200.1, TLS, session=<K6FgcpTsAgDAqMg3>
Now I'm quite confused: apache works with these certificates as expected: accepts valid and refuses revoked. But with dovecot which yesterday accepts at least one certificate (which I revoked for testing) today rejects all others from same CA.
Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)