Greetings 04.12.2013 13:49, Алексей Прокопчук пишет:
I examined in detail dovecot's behavior with 'auth_ssl_require_client_cert=yes'. Dovecot misinterprets configuration in case with parameters: ssl = yes auth_ssl_require_client_cert = yes
If ssl is not equal 'required', so not necessarily required, then unencrypted connection permissible. And case 'ssl = required' processed separately when connection begins. But dovecot answers to client with unencrypted connection "Client didn't sent a valid SSL certificate". This is wrong because with unencrypted connection can't be any certificates at all.
I use dovecot-2.1.16. In auth-request-handler.c I found:
if (request->set->ssl_require_client_cert && !request->valid_client_cert) { /* we fail without valid certificate */ auth_request_handler_auth_fail(handler, request, "Client didn't present valid SSL certificate"); return TRUE; }
Here is need to check encrypted connection, and if connection not encrypted, condition should not be triggered. And as I said above, case with 'ssl = required' processed early and in this case we don't get to this place in code. Finally, I found everything that is needed. I patched auth-request-handler.c and now:
case1: ssl = yes, auth_ssl_require_client_cert = yes. If we trying to authenticate via pop3 or imap with SSL enabled, and valid certificate present, and password is correct, result is success. If we trying to authenticate via pop3 or imap with SSL enabled, and no valid certificate present - result is error. If we trying to authenticate via pop3 or imap without SSL, and password is correct - result is success.
case2: ssl = required, auth_ssl_require_client_cert = yes If we trying to authenticate via pop3 or imap with SSL enabled, and valid certificate present, and password is correct, result is success. If we trying to authenticate via pop3 or imap with SSL enabled, and no valid certificate present - result is error. If we trying to authenticate via pop3 or imap without SSL - result is error (SSL connection required).
Patch for dovecot-2.1.16 is attached to this message.
Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)