Hi Timo,
Well, at least I want to avoid adding more options to config file.. Why do you think it's so much better to disconnect immediately? Do clients then give good error messages if that happens?
Tested with thunderbird 1.0.2 and a revoked user certificate, on connect I got the following results:
cvs-nightly-20060613 asks for a password, returns "login to server localhost failed" and asks for the password again.
modified cvs-nightly-20060613 (ssl_verify_client_cert() returning 'preverify_ok' instead of '1') returns "could not establish an encrypted connection with localhost because your certificate has been revoked" , then disconnects. The error messages on the client side are more useful in this case. (imho).....
One possibility would be to send also the ssl_require_valid_client_cert setting to the login process, and disconnect immediately if that's yes. ok....
One problem with that is however that it's possible to have multiple auth blocks with different ssl_require_valid_client_cert values, so the code would have to check that all of them have it.
I'm afraid I don't understand... In the config-file there's only "auth default {}" The wikipage MultipleAuth doesn't seem related to this. Can you explain?
PS: I also modified the i_info call in ssl_verify_client_cert() to:
i_info('"Invalid certificate: %s %s", X509_verify_cert_error_string(ctx->error),buf);
This way the verification error is also logged.
--
groeten,
HenkJan Wolthuis