Hi,

I've attached a new version of my patch against ssl_proxy-openssl.c which:
- disconnects when no clientcertificate is presented
- checks the clientcertificate against the crl for our root cert. (so you can't use a revoked client cert.)
- returns the CommonName from the client cert. in ssl_proxy_get_peer_name (this way it's easier to use dovecot as imap-proxy with a passwd-like userdb + ssl_require_client_cert + ssl_username_from_cert, it "binds" the emailuser to the clientcertificate, so a user / clientcert. can access only the account from the userdb)

In order to use it, the CAfile must be a file which contains the CAcertificate (pem format) followed by the CRL (also in pem format). (servercert and the clientcerts are signed with a self-signed rootcert)

changes in this version:
- found the proper way to extract the CommonName from a certificate!
- code cleanup

there are some issues with the patch:
- it needs openssl > 0.9.7. the way I do CRL loading/checking is new in 0.9.7. There are some examples on the openssl-devel list, but not much documentation.
- ssl_verify_client_cert now returns 0 in case of an invalid cert. was there a reason why it always returned 1?
- ssl_proxy_get_peer_name is changed, code depending on this function returning "X509_NAME_oneline" can break.. (at the moment it is only used for the ssl_username_from_cert config option, i think)

I'd like comments / ideas etc.

-- 

groeten,

HenkJan Wolthuis