Hi all,
As I reported earlier (with a typo in the work [BUG]) client certification validation *does not* work even if you do everything exactly according to all documentation and attempts at helpful advice.
I have seen this issue with both startssl.com and self-signed certificates, and based on what I've seen from searching the web, this is a problem that has gotten little attention because most people don't bother, but are more than willing to give out useless advice on how to make it work.
Furthermore the issue does NOT occur with the cyrus-imap mail server, so it is definitely a server-side issue.
The actual issue is that the code for calling OpenSSL that constructs the client certificate validation is in fact WRONG.
I don't have a perfect patch as I was mostly interested in getting it working for my needs and didn't bother with constructing the list of CA names to send to the client, preferring to let OpenSSL handle all that sort of thing.
What it comes down to is that the code, which probably worked at one point, was not correctly updated at some point and since then client side certificate validation has been BROKEN.
I have patched against 2.2.9, however I have seen this problem in the versions in both Debian Wheezy and Debian Jessie as well.
As you will see from the patch (which is an attachment as people tend to complain that patches get mangled when you inline them, and even if I have a good client I've gotten heck because the receiver didn't.
Regards,
Daniel