[Dovecot] Client certificate verification/authentication
I would like to use Client certificate verification/authentication.
My MTA used this function.
I've a problem to make a valid certificate.
For my MTA i used :
openssl req -new -nodes -x509 -keyout user_key.pem -out user_req.pem -days 365 openssl ca -out user_signed.pem -infiles user_req.pem openssl pkcs12 -in user_signed.pem -inkey user_key.pem -out user.p12 -export -name "user@hotsname"
user.p12 match in my MTA
Not in Dovecot... In my log, i've simply : dovecot: auth(default): Client didn't present valid SSL certificate
Also, in the documentation
The username is taken from the subject's DN's CommonName http://wiki.dovecot.org/CommonName field (using OpenSSL's X509_NAME_get_text_by_NID() function). But when i used openssl req -new -nodes -keyout user_key.pem -out user_req.pem -days 365 my common name is my hostname not my username. I don't think that the option -name user@hostname (in manpage openssl :: -name is friendly name)...
Sorry but it's ambiguous for me...
On Tue, 2007-05-29 at 12:06 +0200, eizert wrote:
Not in Dovecot... In my log, i've simply : dovecot: auth(default): Client didn't present valid SSL certificate
Set verbose_ssl=yes and it should log more. It should then log either "Invalid certificate" or "Valid certificate". If it logged neither, then your client didn't send a certificate at all.
Timo Sirainen a écrit :
On Tue, 2007-05-29 at 12:06 +0200, eizert wrote:
Not in Dovecot... In my log, i've simply : dovecot: auth(default): Client didn't present valid SSL certificate
Set verbose_ssl=yes and it should log more. It should then log either "Invalid certificate" or "Valid certificate". If it logged neither, then your client didn't send a certificate at all.
I've set this option.
I've create certificate signed trusted and set CA and create CRL. I have put CRL in the CA certificate by cat ca-crl.pem >> ca.crt.pem Also my MUA use CRL with https://myhostname/crl.der
But i've simply this information in my log : Client didn't present valid SSL certificate
Very hard to debug.
When if i turn off ssl_verify_client_cert and ssl_require_client_cert (but only ss_require_client_cert posed a problem) I think that ss_verify_client_cert it's simply X509 verify but i'm not sure, i don't read the source...
I try to compile dovecot with no CRLs usage for test it.
On Mon, 2007-06-04 at 11:39 +0200, eizert wrote:
Timo Sirainen a écrit :
On Tue, 2007-05-29 at 12:06 +0200, eizert wrote:
Not in Dovecot... In my log, i've simply : dovecot: auth(default): Client didn't present valid SSL certificate
Set verbose_ssl=yes and it should log more. It should then log either "Invalid certificate" or "Valid certificate". If it logged neither, then your client didn't send a certificate at all.
I've set this option.
I've create certificate signed trusted and set CA and create CRL. I have put CRL in the CA certificate by cat ca-crl.pem >> ca.crt.pem Also my MUA use CRL with https://myhostname/crl.der
But i've simply this information in my log : Client didn't present valid SSL certificate
Then I'd say the client didn't present any certificate at all to Dovecot. Are you sure the client even supports sending the certificate?
Sorry, but after my first message, i'm work to openssl. (newbie)
And now, the certifate are valid, but authentication failed.
participants (2)
-
eizert
-
Timo Sirainen