Q1) I can't get ssl_verify_client_cert=yes working. The ssl key and cert are signed using our CA. Also the ssl_ca_file has a CRL appended (no revokes yet).
Expected behavior: Stop the SSL (the client doesn't have a cert installed)
Current behavior: Mail clients accepts SSL and login succeeds. (both Evolution and Thunderbird).
My bad? Please advise.
Q2) The next step, if dovecot blocks the client because of the verify_client_cert, how to create certs for OE, Evolution and Thunderbird?
Thanks, Leroy
Server type: Linux Red Hat ES 4.4 (32bit)
# ./dovecot -n # /drbd/imap/dovecot-1.0.rc26/etc/dovecot.conf log_path: /drbd/imap/dovecot-1.0.rc26/var/dovecot.log protocols: imaps listen: a.b.c.39:143 ssl_listen: a.b.c.39:993 ssl_ca_file:/drbd/imap/dovecot-1.0.rc26/etc/certs/CA/cacert_with_crl.pem ssl_cert_file:/drbd/imap/dovecot-1.0.rc26/etc/certs/CA/imaps-signedcertificate.pem ssl_key_file:/drbd/imap/dovecot-1.0.rc26/etc/certs/CA/imaps-privatekey.pem ssl_verify_client_cert: yes verbose_ssl: yes login_dir: /drbd/imap/dovecot-1.0.rc26/var/run/dovecot/login login_executable: /drbd/imap/dovecot-1.0.rc26/libexec/dovecot/imap-login verbose_proctitle: yes mail_extra_groups: mail mail_location: mbox:~/:INBOX=/var/mail/%u mmap_disable: yes mbox_write_locks: fcntl dotlock imap_client_workarounds: delay-newmail outlook-idle auth default: mechanisms: plain login digest-md5 cram-md5 verbose: yes passdb: driver: passwd-file args: /drbd/imap/dovecot-1.0.rc26/etc/userdb_extra passdb: driver: pam userdb: driver: passwd-file args: /drbd/imap/dovecot-1.0.rc26/etc/userdb_extra userdb: driver: passwd
Details (LONG) follow:
# cat cacert_with_crl.pem -----BEGIN CERTIFICATE----- MIICxzCCAjCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBSMRwwGgYDVQQKExNXTCBE ZWxmdCBIeWRyYXVsaWNzMQ4wDAYDVQQHEwVEZWxmdDEVMBMGA1UECBMMWnVpZCBI b2xsYW5kMQswCQYDVQQGEwJOTDAeFw0wNzAzMDgxMjE1MzhaFw0xNzAzMDUxMjE1 MzhaMFIxHDAaBgNVBAoTE1dMIERlbGZ0IEh5ZHJhdWxpY3MxDjAMBgNVBAcTBURl bGZ0MRUwEwYDVQQIEwxadWlkIEhvbGxhbmQxCzAJBgNVBAYTAk5MMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQCp4s55PxpcEgk1KhAJ3DA/DXKHBtUoAE3K273t 1nJzuAujA0mfVtpinDdpreHp53bVGSN5xIDZ+Ljy8wW7lPB5YSwBQFbIoFx/6NkI QPkYeVZ0NrFC1g2tZRD4ObRkqFuApr60+NokY+e3KuInnCdAf0Itb4VVolMvWccz vqdJBQIDAQABo4GsMIGpMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFPynIoyRPF2s UiGO+3RQr2pThXzQMHoGA1UdIwRzMHGAFPynIoyRPF2sUiGO+3RQr2pThXzQoVak VDBSMRwwGgYDVQQKExNXTCBEZWxmdCBIeWRyYXVsaWNzMQ4wDAYDVQQHEwVEZWxm dDEVMBMGA1UECBMMWnVpZCBIb2xsYW5kMQswCQYDVQQGEwJOTIIBADANBgkqhkiG 9w0BAQQFAAOBgQAtRPC7laBPuOMAein4ZXjxSia6l7XjpAI/A2bXFvbV1ulNzbno KYbeqfv6zp1SLWrKvwGeu4DrHLe098ATADqLWANqNqfI5t40nND1rsfGmjGTOJ7v /Q53AaTXEBn2D1ZIqGMUuFOXv0BFi1U2BmPyTt6hlZ1D7wTERxo0UGXFXw== -----END CERTIFICATE----- -----BEGIN X509 CRL----- MIIBFzCBgTANBgkqhkiG9w0BAQQFADBSMRwwGgYDVQQKExNXTCBEZWxmdCBIeWRy YXVsaWNzMQ4wDAYDVQQHEwVEZWxmdDEVMBMGA1UECBMMWnVpZCBIb2xsYW5kMQsw CQYDVQQGEwJOTBcNMDcwMzA4MTIyODE5WhcNMDcwNDA3MTIyODE5WjANBgkqhkiG 9w0BAQQFAAOBgQBnXWqvR9oS674EyNHYoOmv0KeFcVqLOUpR7bVGbMYvCsMc56yy E473NULD0EL0BZFMgGdN05e53KLnOoLiuvFuhCAxZW7o7f72lJC+wegFwROp7OOc aKJ5lumaZ86Xb0uM8N/yJ/5xxCubrt1TYGQYPTjoQo4rJccpFy8aeqNDrA== -----END X509 CRL-----
]# cat imaps-signedcertificate.pem -----BEGIN CERTIFICATE----- MIICHTCCAYYCAQEwDQYJKoZIhvcNAQEEBQAwUjEcMBoGA1UEChMTV0wgRGVsZnQg SHlkcmF1bGljczEOMAwGA1UEBxMFRGVsZnQxFTATBgNVBAgTDFp1aWQgSG9sbGFu ZDELMAkGA1UEBhMCTkwwHhcNMDcwMzA4MTIyMDA2WhcNMDgwMzA3MTIyMDA2WjBc MQswCQYDVQQGEwJOTDEVMBMGA1UECBMMWnVpZCBIb2xsYW5kMRwwGgYDVQQKExNX TCBEZWxmdCBIeWRyYXVsaWNzMRgwFgYDVQQDEw9pbWFwLndsZGVsZnQubmwwgZ8w DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALlEnCZu2o7LGp1x1rwBY2nZJH49L7by F8GVRpnoi7wnvXV11Iy7JUd0qbyBDWNn6EiBJ2YMemSmceVpXtyxI6wbBqmq0kgn 1VmglFUcYXRx6mkXuMx17OXpqSB9jNU22ldn20h/Xr1yhJ8W/RpohG9u6jebFiF3 qJXdyjXJqPSBAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAVwOhL3FICQeMJOSxil2S K1TiN+6zjrVDq7L7t7myOkWJA6hrZcPWQZfCV5ZoWaG8nREdesKAQBRvkT6uwmcJ 3pYpc/iBTtmwCpEVjfv0Ki9VwXpWuRo0FcQkrc8MVbclwnkGmtPAJAY7Dz7U/uBf w4N5cj1pfHltVEeD9Jb9tBo= -----END CERTIFICATE-----
# cat imaps-privatekey.pem
-----BEGIN RSA PRIVATE KEY-----