What I have understand, you are able in configuration to reject transactions with those that doesn't present a valid certificate.
Ergo, they can connect, but they can't do anything.
-----Ursprungligt meddelande-----
Från: dovecot-bounces@dovecot.org För Hristo Venev
Skickat: den 27 mars 2021 00:16
Till: dovecot@dovecot.org
Ämne: ssl_verify_client_cert=yes does not require a client certificate [invalid signature!]
Hello,
I am trying to set up LMTP over TLS. I have set ssl_verify_client_cert:
protocol lmtp {
ssl_ca = ctx->client_ctx)
verify_flags = SSL_VERIFY_NONE;
else
- verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+ verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE |
+SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
SSL_set_verify(ssl_io->ssl, verify_flags,
openssl_iostream_verify_client_cert);
}