Hello,
we're running RC2 and seeing a problem with the way SSL certs are handled by Dovecot.
We've set ssl_verify_client_cert=yes and ssl_require_valid_client_cert=no.
Using this setup we get (rather interesting) log entries like these:
Jul 31 11:21:23 dev dovecot: imap-login: Invalid certificate: <user cert> Jul 31 11:21:23 dev dovecot: imap-login: Invalid certificate: <CA cert> Jul 31 11:21:23 dev dovecot: imap-login: Valid certificate: <CA cert> Jul 31 11:21:23 dev dovecot: imap-login: Valid certificate: <user cert> Jul 31 11:21:23 dev dovecot: imap-login: Login: user=...
When setting ssl_require_valid_client_cert=yes, logins always fail with:
Jul 31 11:57:54 dev dovecot: auth(default): PLAIN(?,...): Client didn't present valid SSL certificate
Are we doing something wrong, or is dovecot mixing up something while checking the certificates.
Note that the certificates are all valid and have not expired. The <user cert> is signed by the <CA cert> and we set ssl_ca_file to the CA certificate PEM file.
Ideally, we'd like to only accept login requests from users which have a valid certificate signed by our CA. Even better would be an approach such as the one taken by Postfix where you have to provide a list of valid MD5 hash sums for the users you'd like to accept.
Thanks,
Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source (#1, Jul 31 2006)
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,FreeBSD for free ! ::::