Hi, I've attached a new version of my patch against ssl_proxy-openssl.c which: - disconnects when no clientcertificate is presented - checks the clientcertificate against the crl for our root cert. (so you can't use a revoked client cert.) - returns the CommonName from the client cert. in ssl_proxy_get_peer_name (this way it's easier to use dovecot as imap-proxy with a passwd-like userdb + ssl_require_client_cert + ssl_username_from_cert, it "binds" the emailuser to the clientcertificate, so a user / clientcert. can access only the account from the userdb) In order to use it, the CAfile must be a file which contains the CAcertificate (pem format) followed by the CRL (also in pem format). (servercert and the clientcerts are signed with a self-signed rootcert) changes in this version: - found the proper way to extract the CommonName from a certificate! - code cleanup there are some issues with the patch: - it needs openssl > 0.9.7. the way I do CRL loading/checking is new in 0.9.7. There are some examples on the openssl-devel list, but not much documentation. - ssl_verify_client_cert now returns 0 in case of an invalid cert. was there a reason why it always returned 1? - ssl_proxy_get_peer_name is changed, code depending on this function returning "X509_NAME_oneline" can break.. (at the moment it is only used for the ssl_username_from_cert config option, i think) I'd like comments / ideas etc. -- groeten, HenkJan Wolthuis --- ssl-proxy-openssl.c.orig 2006-04-04 10:32:58.000000000 +0200 +++ ssl-proxy-openssl.c 2006-06-01 09:24:57.000000000 +0200 @@ -498,7 +498,7 @@ const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy) { X509 *x509; - char buf[1024]; + char buf[256]; const char *name; if (!ssl_proxy_has_valid_client_cert(proxy)) @@ -508,10 +508,16 @@ if (x509 == NULL) return NULL; /* we should have had it.. */ - X509_NAME_oneline(X509_get_subject_name(x509), buf, sizeof(buf)); - name = t_strndup(buf, sizeof(buf)); + /* HJHJ */ + /* the X509_N_gtbN can return -1 without 0-terminating buf */ + /* if the call succeeds buf is 0-terminated (openssl 0.9.7e / 0.9.8b src) */ + buf[0] = '\0'; + if( X509_NAME_get_text_by_NID(X509_get_subject_name(x509),NID_commonName,buf,sizeof(buf)) < 0 ) + { buf[0] = '\0'; } + name = t_strndup(buf, sizeof(buf) ); X509_free(x509); - + /* HJHJ */ + return *name == '\0' ? NULL : name; } @@ -582,10 +588,22 @@ proxy = SSL_get_ex_data(ssl, extdata_index); proxy->cert_received = TRUE; + + /* HJHJ */ + char buf[1024]; + X509_NAME_oneline( X509_get_subject_name(ctx->current_cert),buf,sizeof(buf)); + if (!preverify_ok) + { proxy->cert_broken = TRUE; + i_warning("BAD CERT %s: %s",X509_verify_cert_error_string(ctx->error),buf); + } + else + { i_warning("CERT: %s",buf); } /* logging */ - return 1; + return preverify_ok; + /* HJHJ */ + } static int @@ -666,10 +684,20 @@ if (getenv("SSL_VERIFY_CLIENT_CERT") != NULL) { SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | - SSL_VERIFY_CLIENT_ONCE, + SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_client_cert); } + /* HJHJ */ +#if OPENSSL_VERSION_NUMBER >= 0x00907000L + X509_STORE *store; + if( (store=SSL_CTX_get_cert_store(ssl_ctx)) != NULL ) + { X509_STORE_set_flags( store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); } + else + { i_warning("X509 get cert store failed..."); } +#endif + /* HJHJ */ + /* PRNG initialization might want to use /dev/urandom, make sure it does it before chrooting. We might not have enough entropy at the first try, so this function may fail. It's still been