ssl_verify_client_cert=yes does not require a client certificate
Hello, I am trying to set up LMTP over TLS. I have set ssl_verify_client_cert: protocol lmtp { ssl_ca = </etc/cert/mail/ca.pem ssl_cert = </etc/cert/mail/host.pem ssl_key = </etc/cert/mail/host.key ssl_verify_client_cert = yes } However, clients can still connect without presenting a valid certificate. In openssl_iostream_set() the flags given to SSL_set_verify() are SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE. For a certificate to be required, the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag also needs to be set: diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c index 5d11526f1..d8df96398 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -235,7 +235,7 @@ openssl_iostream_set(struct ssl_iostream *ssl_io, if (ssl_io->ctx->client_ctx) verify_flags = SSL_VERIFY_NONE; else - verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; + verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; SSL_set_verify(ssl_io->ssl, verify_flags, openssl_iostream_verify_client_cert); }
What I have understand, you are able in configuration to reject transactions with those that doesn't present a valid certificate. Ergo, they can connect, but they can't do anything. -----Ursprungligt meddelande----- Från: dovecot-bounces@dovecot.org <dovecot-bounces@dovecot.org> För Hristo Venev Skickat: den 27 mars 2021 00:16 Till: dovecot@dovecot.org Ämne: ssl_verify_client_cert=yes does not require a client certificate [invalid signature!] Hello, I am trying to set up LMTP over TLS. I have set ssl_verify_client_cert: protocol lmtp { ssl_ca = </etc/cert/mail/ca.pem ssl_cert = </etc/cert/mail/host.pem ssl_key = </etc/cert/mail/host.key ssl_verify_client_cert = yes } However, clients can still connect without presenting a valid certificate. In openssl_iostream_set() the flags given to SSL_set_verify() are SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE. For a certificate to be required, the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag also needs to be set: diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c index 5d11526f1..d8df96398 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -235,7 +235,7 @@ openssl_iostream_set(struct ssl_iostream *ssl_io, if (ssl_io->ctx->client_ctx) verify_flags = SSL_VERIFY_NONE; else - verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; + verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE | +SSL_VERIFY_FAIL_IF_NO_PEER_CERT; SSL_set_verify(ssl_io->ssl, verify_flags, openssl_iostream_verify_client_cert); }
I can connect and I can send mail to dovecot using LMTP without presenting a certificate: $ ncat pmx1.venev.name INSERT_LMTP_PORT_HERE --ssl 220 pmx1.venev.name Dovecot ready. MAIL FROM:<root@example.org> 250 2.1.0 OK RCPT TO:<hristo@venev.name> 250 2.1.5 OK DATA 354 OK Subject: This message skipped the MTA and went straight to the MDA . 250 2.0.0 <hristo@venev.name> kKAKEm/fXmCbwwAAdB6GMg Saved On Sat, 2021-03-27 at 00:17 +0100, Sebastian wrote:
What I have understand, you are able in configuration to reject transactions with those that doesn't present a valid certificate. Ergo, they can connect, but they can't do anything.
-----Ursprungligt meddelande----- Från: dovecot-bounces@dovecot.org <dovecot-bounces@dovecot.org> För Hristo Venev Skickat: den 27 mars 2021 00:16 Till: dovecot@dovecot.org Ämne: ssl_verify_client_cert=yes does not require a client certificate [invalid signature!]
Hello,
I am trying to set up LMTP over TLS. I have set ssl_verify_client_cert:
protocol lmtp { ssl_ca = </etc/cert/mail/ca.pem ssl_cert = </etc/cert/mail/host.pem ssl_key = </etc/cert/mail/host.key ssl_verify_client_cert = yes }
However, clients can still connect without presenting a valid certificate.
In openssl_iostream_set() the flags given to SSL_set_verify() are SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE. For a certificate to be required, the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag also needs to be set:
diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl- iostream/iostream-openssl.c index 5d11526f1..d8df96398 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -235,7 +235,7 @@ openssl_iostream_set(struct ssl_iostream *ssl_io, if (ssl_io->ctx->client_ctx) verify_flags = SSL_VERIFY_NONE; else - verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; + verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE | +SSL_VERIFY_FAIL_IF_NO_PEER_CERT; SSL_set_verify(ssl_io->ssl, verify_flags, openssl_iostream_verify_client_cert); }
participants (2)
-
Hristo Venev
-
Sebastian