Hello Michal,
Today I've been trying to get dovecot (1.0 rc2) to use certificates for client side authentication. If my memory serves right, beta8 had no problems with it (although it was some time ago and on different
I'm not using .rc2 yet, i'm using dovecot-20060612 with clientcerts / crls,
I'm not sure, but maybe this is the problem: After beta8 CRLchecking was added, ssl_ca_file should be a file with the ca_cert followed by a crl. (certificate revocation list)
If this is the problem, you can:
- generate a crl, add the crl to ca_cert.pem (crl in PEM format) or
- comment out the crlchecking code in ssl_proxy_openssl.c, it's in the ssl-proxy_init() function, between #if OPENSSL_VERSION_NUMBER>= 0x00907000L and the matching #endif.. and recompile
One other thing to notice: ssl_proxy_get_peer_name now returns the CommonName from the client certificate, and not the whole DN!
Those two "Invalid certificate" lines, followed immediately by two "Valid certificate" lines seem suspicious.
i think that's because ssl-verify_client_cert() returns 1. I've seen the same behaviour here. Change it to preverify_ok, then it should log verification error messages, (and drops the connection in case of a invalid client certificate)
success!
--
groeten,
HenkJan Wolthuis