[Dovecot] 1.0rc26: ssl_verify_client=yes ?
Q1) I can't get ssl_verify_client_cert=yes working. The ssl key and cert are signed using our CA. Also the ssl_ca_file has a CRL appended (no revokes yet).
Expected behavior: Stop the SSL (the client doesn't have a cert installed)
Current behavior: Mail clients accepts SSL and login succeeds. (both Evolution and Thunderbird).
My bad? Please advise.
Q2) The next step, if dovecot blocks the client because of the verify_client_cert, how to create certs for OE, Evolution and Thunderbird?
Thanks, Leroy
Server type: Linux Red Hat ES 4.4 (32bit)
# ./dovecot -n # /drbd/imap/dovecot-1.0.rc26/etc/dovecot.conf log_path: /drbd/imap/dovecot-1.0.rc26/var/dovecot.log protocols: imaps listen: a.b.c.39:143 ssl_listen: a.b.c.39:993 ssl_ca_file:/drbd/imap/dovecot-1.0.rc26/etc/certs/CA/cacert_with_crl.pem ssl_cert_file:/drbd/imap/dovecot-1.0.rc26/etc/certs/CA/imaps-signedcertificate.pem ssl_key_file:/drbd/imap/dovecot-1.0.rc26/etc/certs/CA/imaps-privatekey.pem ssl_verify_client_cert: yes verbose_ssl: yes login_dir: /drbd/imap/dovecot-1.0.rc26/var/run/dovecot/login login_executable: /drbd/imap/dovecot-1.0.rc26/libexec/dovecot/imap-login verbose_proctitle: yes mail_extra_groups: mail mail_location: mbox:~/:INBOX=/var/mail/%u mmap_disable: yes mbox_write_locks: fcntl dotlock imap_client_workarounds: delay-newmail outlook-idle auth default: mechanisms: plain login digest-md5 cram-md5 verbose: yes passdb: driver: passwd-file args: /drbd/imap/dovecot-1.0.rc26/etc/userdb_extra passdb: driver: pam userdb: driver: passwd-file args: /drbd/imap/dovecot-1.0.rc26/etc/userdb_extra userdb: driver: passwd
Details (LONG) follow:
# cat cacert_with_crl.pem -----BEGIN CERTIFICATE----- MIICxzCCAjCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBSMRwwGgYDVQQKExNXTCBE ZWxmdCBIeWRyYXVsaWNzMQ4wDAYDVQQHEwVEZWxmdDEVMBMGA1UECBMMWnVpZCBI b2xsYW5kMQswCQYDVQQGEwJOTDAeFw0wNzAzMDgxMjE1MzhaFw0xNzAzMDUxMjE1 MzhaMFIxHDAaBgNVBAoTE1dMIERlbGZ0IEh5ZHJhdWxpY3MxDjAMBgNVBAcTBURl bGZ0MRUwEwYDVQQIEwxadWlkIEhvbGxhbmQxCzAJBgNVBAYTAk5MMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQCp4s55PxpcEgk1KhAJ3DA/DXKHBtUoAE3K273t 1nJzuAujA0mfVtpinDdpreHp53bVGSN5xIDZ+Ljy8wW7lPB5YSwBQFbIoFx/6NkI QPkYeVZ0NrFC1g2tZRD4ObRkqFuApr60+NokY+e3KuInnCdAf0Itb4VVolMvWccz vqdJBQIDAQABo4GsMIGpMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFPynIoyRPF2s UiGO+3RQr2pThXzQMHoGA1UdIwRzMHGAFPynIoyRPF2sUiGO+3RQr2pThXzQoVak VDBSMRwwGgYDVQQKExNXTCBEZWxmdCBIeWRyYXVsaWNzMQ4wDAYDVQQHEwVEZWxm dDEVMBMGA1UECBMMWnVpZCBIb2xsYW5kMQswCQYDVQQGEwJOTIIBADANBgkqhkiG 9w0BAQQFAAOBgQAtRPC7laBPuOMAein4ZXjxSia6l7XjpAI/A2bXFvbV1ulNzbno KYbeqfv6zp1SLWrKvwGeu4DrHLe098ATADqLWANqNqfI5t40nND1rsfGmjGTOJ7v /Q53AaTXEBn2D1ZIqGMUuFOXv0BFi1U2BmPyTt6hlZ1D7wTERxo0UGXFXw== -----END CERTIFICATE----- -----BEGIN X509 CRL----- MIIBFzCBgTANBgkqhkiG9w0BAQQFADBSMRwwGgYDVQQKExNXTCBEZWxmdCBIeWRy YXVsaWNzMQ4wDAYDVQQHEwVEZWxmdDEVMBMGA1UECBMMWnVpZCBIb2xsYW5kMQsw CQYDVQQGEwJOTBcNMDcwMzA4MTIyODE5WhcNMDcwNDA3MTIyODE5WjANBgkqhkiG 9w0BAQQFAAOBgQBnXWqvR9oS674EyNHYoOmv0KeFcVqLOUpR7bVGbMYvCsMc56yy E473NULD0EL0BZFMgGdN05e53KLnOoLiuvFuhCAxZW7o7f72lJC+wegFwROp7OOc aKJ5lumaZ86Xb0uM8N/yJ/5xxCubrt1TYGQYPTjoQo4rJccpFy8aeqNDrA== -----END X509 CRL-----
]# cat imaps-signedcertificate.pem -----BEGIN CERTIFICATE----- MIICHTCCAYYCAQEwDQYJKoZIhvcNAQEEBQAwUjEcMBoGA1UEChMTV0wgRGVsZnQg SHlkcmF1bGljczEOMAwGA1UEBxMFRGVsZnQxFTATBgNVBAgTDFp1aWQgSG9sbGFu ZDELMAkGA1UEBhMCTkwwHhcNMDcwMzA4MTIyMDA2WhcNMDgwMzA3MTIyMDA2WjBc MQswCQYDVQQGEwJOTDEVMBMGA1UECBMMWnVpZCBIb2xsYW5kMRwwGgYDVQQKExNX TCBEZWxmdCBIeWRyYXVsaWNzMRgwFgYDVQQDEw9pbWFwLndsZGVsZnQubmwwgZ8w DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALlEnCZu2o7LGp1x1rwBY2nZJH49L7by F8GVRpnoi7wnvXV11Iy7JUd0qbyBDWNn6EiBJ2YMemSmceVpXtyxI6wbBqmq0kgn 1VmglFUcYXRx6mkXuMx17OXpqSB9jNU22ldn20h/Xr1yhJ8W/RpohG9u6jebFiF3 qJXdyjXJqPSBAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAVwOhL3FICQeMJOSxil2S K1TiN+6zjrVDq7L7t7myOkWJA6hrZcPWQZfCV5ZoWaG8nREdesKAQBRvkT6uwmcJ 3pYpc/iBTtmwCpEVjfv0Ki9VwXpWuRo0FcQkrc8MVbclwnkGmtPAJAY7Dz7U/uBf w4N5cj1pfHltVEeD9Jb9tBo= -----END CERTIFICATE-----
# cat imaps-privatekey.pem -----BEGIN RSA PRIVATE KEY----- <better not include this :)> -----END RSA PRIVATE KEY-----
On Thu, 2007-03-08 at 13:51 +0100, Leroy van Logchem wrote:
Q1) I can't get ssl_verify_client_cert=yes working. The ssl key and cert are signed using our CA. Also the ssl_ca_file has a CRL appended (no revokes yet).
Expected behavior: Stop the SSL (the client doesn't have a cert installed)
Current behavior: Mail clients accepts SSL and login succeeds. (both Evolution and Thunderbird).
My bad? Please advise.
You'll also need to set ssl_require_client_cert=yes in auth section. I added that now to ssl_verify_client_cert's comments.
Q2) The next step, if dovecot blocks the client because of the verify_client_cert, how to create certs for OE, Evolution and Thunderbird?
I don't think most clients support SSL client certificates at all, although I know some people are using them with some clients.. Maybe someone could add a list of the clients supporting them into wiki.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 8 Mar 2007, Timo Sirainen wrote:
Q2) The next step, if dovecot blocks the client because of the verify_client_cert, how to create certs for OE, Evolution and Thunderbird?
I don't think most clients support SSL client certificates at all, although I know some people are using them with some clients.. Maybe someone could add a list of the clients supporting them into wiki.
Er, a dummy question, I guess: Can you use client certs to login into Dovecot? Aka can use the certs as "passdb"?
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBRfAuai9SORjhbDpvAQJawwf+KEDX2WMvc2Xt7db+UQr3nUdrNkRlY1rm qjAw78Lysfq+Bxl/49s11x/mN+zbAaVR28feGyRlFFeUmrdgOKWgz61nhueDxRSR apYMtCw4/GVEMQlJWl5Rvum+uZQiawnszPInwpjfHcJrhuPq+n2yEIQxukPesKpO T9avqJIhoN1Q7+DG0J9DINg/I2wHyhKaMudDKu0xewKr0rR1hDW9HpzdM/f0CVYO BXnS9FS130VAQJAYOiZe/BezyX41b2hBgS4E7zYgYZdEw3g/HgAAAo3vbYlWnuh4 VjUgLfN7yqu4OVoFxqkaBtCxF7K01nTSMbuutC5VXpmkExhJIcm6Pw== =bhZg -----END PGP SIGNATURE-----
On Thu, 2007-03-08 at 16:40 +0100, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 8 Mar 2007, Timo Sirainen wrote:
Q2) The next step, if dovecot blocks the client because of the verify_client_cert, how to create certs for OE, Evolution and Thunderbird?
I don't think most clients support SSL client certificates at all, although I know some people are using them with some clients.. Maybe someone could add a list of the clients supporting them into wiki.
Er, a dummy question, I guess: Can you use client certs to login into Dovecot? Aka can use the certs as "passdb"?
Yes. It will still need some passdb, but you could use null password and ssl_username_from_cert=yes settings in which case it doesn't matter what user/password is used to log in.
But it circumvents Dovecot's login/auth process security model, so I don't recommend it that much. Maybe some day I'll make login process forward the client cert to dovecot-auth which does the actual verification.
You'll also need to set ssl_require_client_cert=yes in auth section. I added that now to ssl_verify_client_cert's comments.
Confirmed: "Client didn't present valid SSL certificate" Thanks for the swift response :)
Q2) The next step, if dovecot blocks the client because of the verify_client_cert, how to create certs for OE, Evolution and Thunderbird?
I don't think most clients support SSL client certificates at all, although I know some people are using them with some clients.. Maybe someone could add a list of the clients supporting them into wiki.
Comments are welcome while figuring it out. I'll reply with a few lines of howto when it works.
participants (3)
-
Leroy van Logchem
-
Steffen Kaiser
-
Timo Sirainen