[Dovecot] Authentication by certificats (a bug or my misconfiguration)
Today I've been trying to get dovecot (1.0 rc2) to use certificates for client side authentication. If my memory serves right, beta8 had no problems with it (although it was some time ago and on different machine).
Similar setup works perfectly well for postfix (for authentication that is, on the same machine). Originally I thought I overdid some certificate settings (keyUsage, nsCertType, etc.), so for the sake of testing I've simplified the setup to bare minimum - 1 simple selfsigned root certificate, another 1 for dovecot, and the last one for the user. Unfortunately, the results were the same.
Configuration:
OpenBSD 3.9 (stable branch), i386, no nfs or afs (only local ffs) standard OpenSSL 0.9.7g (+ patches) dovecot 1.0 rc2, compiled from sources, with sysconfdir set to /etc and with disabled pam
Tested with the most recent opera and mozilla thunderbird, using pop3s. (note: both clients work with postfix, authetnicating only by certificates). They do send requested certificates.
Important dovecot configuration:
ssl_cert_file = /etc/ssl/ca_ppgk/certs/pop3_crt.pem (common name - pop3.ppgk.com.pl, valid dns name) ssl_key_file = /etc/ssl/ca_ppgk/private/pop3_key.pem ssl_ca_file = /etc/ssl/ca_ppgk/ca_crt.pem ssl_verify_client_cert = yes verbose_ssl = yes auth_verbose = yes
ssl_require_client_cert = yes ssl_username_from_cert = (tested both with yes and no, with common name of user certificate set both as username@domain or as bare username)
The rest is just pretty standard, using passwd for both user auth and userdb, with plain and login mechanisms allowed.
I tested "few" sets of certificates (for ca, server and user) with configurations ranging from quite specific ones (with basicConstraints, nsCertType, keyUsage, extendedKeyUsage fields set) to very simple ones (basicConstraints + typical stuff like subjectKeyIdentifier). All of them gave the same results with dovecot (postfix didn't complain with any of them either).
This is what I get in logs, when trying to pull mail using opera or mozilla:
Jul 7 14:33:47 ppgk-wa dovecot: Dovecot v1.0.rc2 starting up Jul 7 14:33:57 ppgk-wa dovecot: pop3-login: Invalid certificate: /C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=adminms@ppgk.com.pl/emailAddress=adminms@ppgk.com.pl Jul 7 14:33:57 ppgk-wa dovecot: pop3-login: Invalid certificate: /C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=RootCA/emailAddress=admin@ppgk.com.pl Jul 7 14:33:57 ppgk-wa dovecot: pop3-login: Valid certificate: /C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=RootCA/emailAddress=admin@ppgk.com.pl Jul 7 14:33:57 ppgk-wa dovecot: pop3-login: Valid certificate: /C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=adminms@ppgk.com.pl/emailAddress=adminms@ppgk.com.pl Jul 7 14:34:05 ppgk-wa dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3 secured lip=192.168.100.77 rip=192.168.100.75 resp=<hidden> Jul 7 14:34:05 ppgk-wa dovecot: auth(default): PLAIN(?,192.168.100.75): Client didn't present valid SSL certificate Jul 7 14:34:05 ppgk-wa dovecot: auth(default): client out: FAIL 1 reason=Client didn't present valid SSL certificate Jul 7 14:34:05 ppgk-wa dovecot: auth(default): client in: AUTH 2 LOGIN service=POP3 secured lip=192.168.100.77 rip=192.168.100.75 resp=<hidden> Jul 7 14:34:05 ppgk-wa dovecot: auth(default): LOGIN(?,192.168.100.75): Client didn't present valid SSL certificate Jul 7 14:34:05 ppgk-wa dovecot: auth(default): client out: FAIL 2 reason=Client didn't present valid SSL certificate Jul 7 14:34:05 ppgk-wa dovecot: auth(default): client in: AUTH 3 PLAIN service=POP3 secured lip=192.168.100.77 rip=192.168.100.75 resp=<hidden> Jul 7 14:34:05 ppgk-wa dovecot: auth(default): PLAIN(?,192.168.100.75): Client didn't present valid SSL certificate Jul 7 14:34:05 ppgk-wa dovecot: auth(default): client out: FAIL 3 reason=Client didn't present valid SSL certificate Jul 7 14:34:07 ppgk-wa dovecot: pop3-login: Disconnected: method=PLAIN, rip=192.168.100.75, lip=192.168.100.77, TLS
Those two "Invalid certificate" lines, followed immediately by two "Valid certificate" lines seem suspicious.
Is there some configuration detail I might have missed or messed, or is it (probably) a bug ?
Hello Michal,
Today I've been trying to get dovecot (1.0 rc2) to use certificates for client side authentication. If my memory serves right, beta8 had no problems with it (although it was some time ago and on different
I'm not using .rc2 yet, i'm using dovecot-20060612 with clientcerts / crls,
I'm not sure, but maybe this is the problem: After beta8 CRLchecking was added, ssl_ca_file should be a file with the ca_cert followed by a crl. (certificate revocation list)
If this is the problem, you can:
- generate a crl, add the crl to ca_cert.pem (crl in PEM format) or
- comment out the crlchecking code in ssl_proxy_openssl.c, it's in the ssl-proxy_init() function, between #if OPENSSL_VERSION_NUMBER>= 0x00907000L and the matching #endif.. and recompile
One other thing to notice: ssl_proxy_get_peer_name now returns the CommonName from the client certificate, and not the whole DN!
Those two "Invalid certificate" lines, followed immediately by two "Valid certificate" lines seem suspicious.
i think that's because ssl-verify_client_cert() returns 1. I've seen the same behaviour here. Change it to preverify_ok, then it should log verification error messages, (and drops the connection in case of a invalid client certificate)
success!
--
groeten,
HenkJan Wolthuis
HenkJan Wolthuis wrote:
I'm not using .rc2 yet, i'm using dovecot-20060612 with clientcerts / crls,
I'm not sure, but maybe this is the problem: After beta8 CRLchecking was added, ssl_ca_file should be a file with the ca_cert followed by a crl. (certificate revocation list)
If this is the problem, you can:
- generate a crl, add the crl to ca_cert.pem (crl in PEM format) or
That was it. Everything works beautifully now, thanks.
Michal Soltys wrote:
HenkJan Wolthuis wrote:
I'm not using .rc2 yet, i'm using dovecot-20060612 with clientcerts / crls,
I'm not sure, but maybe this is the problem: After beta8 CRLchecking was added, ssl_ca_file should be a file with the ca_cert followed by a crl. (certificate revocation list)
If this is the problem, you can:
- generate a crl, add the crl to ca_cert.pem (crl in PEM format) or
That was it. Everything works beautifully now, thanks.
I'm trying to get my setup to use certificates for identifying users and also making sure that everyone can run TLS. I have a CA that I have created an intermediate root from that in turn creates the client certificates and something is not working corrent on rc2.
My settings are these:
ssl_cert_file = /etc/ssl/postfix/server.boxed.no.pem ssl_key_file = /etc/ssl/postfix/server.boxed.no.pem ssl_ca_file = /etc/ssl/postfix/xxx.boxed.no.crt ssl_verify_client_cert = yes
and under the auth section:
ssl_require_client_cert = yes ssl_username_from_cert = yes
When running with "verbose_ssl = no" I get this in my logs when a client tries to connect:
Jul 11 06:41:17 server dovecot: Dovecot v1.0.rc2 starting up Jul 11 06:41:23 server dovecot: imap-login: Invalid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=xxx.boxed.no/emailAddress=xxx@boxed.no Jul 11 06:41:23 server dovecot: imap-login: Invalid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=Boxed Solutions CA/emailAddress=xxx@boxed.no Jul 11 06:41:24 server dovecot: imap-login: Aborted login: rip=4.3.2.1, lip=1.2.3.4, TLS
But when I turn on verbose_ssl I get this:
Jul 11 06:41:45 server dovecot: Dovecot v1.0.rc2 starting up Jul 11 06:42:03 server dovecot: imap-login: Invalid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=xxx.boxed.no/emailAddress=xxx@boxed.no Jul 11 06:42:03 server dovecot: imap-login: Invalid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=Boxed Solutions CA/emailAddress=xxx@boxed.no Jul 11 06:42:03 server dovecot: imap-login: Valid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=Boxed Solutions CA/emailAddress=xxx@boxed.no Jul 11 06:42:03 server dovecot: imap-login: Valid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=xxx.boxed.no/emailAddress=xxx@boxed.no Jul 11 06:42:03 server dovecot: imap-login: Valid certificate: /C=NO/ST=N/A/L=Oslo/O=Client/OU=Internal/CN=client.boxed.no/emailAddress=test@boxed.no Jul 11 06:42:04 server dovecot: imap-login: Aborted login: rip=4.3.2.1, lip=1.2.3.4, TLS
I've gone over and made sure that the CA cert is the most recent and that it includes a PEM formatted CRL at the bottom. The CA cert used is composed in the order:
- Root CA
- Intermediate CA
- CRL
Any takes as to what is not playing here?
-A
Alexander Hoogerhuis wrote:
I've gone over and made sure that the CA cert is the most recent and that it includes a PEM formatted CRL at the bottom. The CA cert used is composed in the order:
- Root CA
- Intermediate CA
- CRL
Any takes as to what is not playing here?
-A
Also, as a slight followup to myself and one more question: is it possible to make dovecot use only the certificate as authentication and have no more need for passwords? I've tried to tweak it to happen, but can't seems to make it work either.
-A
participants (3)
-
Alexander Hoogerhuis
-
HenkJan Wolthuis
-
Michal Soltys