[Dovecot] Dovecot and SSL certificates
Hello,
we're running RC2 and seeing a problem with the way SSL certs are handled by Dovecot.
We've set ssl_verify_client_cert=yes and ssl_require_valid_client_cert=no.
Using this setup we get (rather interesting) log entries like these:
Jul 31 11:21:23 dev dovecot: imap-login: Invalid certificate: <user cert> Jul 31 11:21:23 dev dovecot: imap-login: Invalid certificate: <CA cert> Jul 31 11:21:23 dev dovecot: imap-login: Valid certificate: <CA cert> Jul 31 11:21:23 dev dovecot: imap-login: Valid certificate: <user cert> Jul 31 11:21:23 dev dovecot: imap-login: Login: user=...
When setting ssl_require_valid_client_cert=yes, logins always fail with:
Jul 31 11:57:54 dev dovecot: auth(default): PLAIN(?,...): Client didn't present valid SSL certificate
Are we doing something wrong, or is dovecot mixing up something while checking the certificates.
Note that the certificates are all valid and have not expired. The <user cert> is signed by the <CA cert> and we set ssl_ca_file to the CA certificate PEM file.
Ideally, we'd like to only accept login requests from users which have a valid certificate signed by our CA. Even better would be an approach such as the one taken by Postfix where you have to provide a list of valid MD5 hash sums for the users you'd like to accept.
Thanks,
Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source (#1, Jul 31 2006)
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,FreeBSD for free ! ::::
Hello,
Note that the certificates are all valid and have not expired. The <user cert> is signed by the <CA cert> and we set ssl_ca_file to the CA certificate PEM file.
CRL checking was introduced somewhere after beta8, if you use openssl > 0.9.7 the ssl_ca_file should contain the CAcertificate _and_ the CRL for your CA, both in PEM format. Hope this helps,
--
groeten,
HenkJan Wolthuis
HenkJan Wolthuis wrote:
Hello,
Note that the certificates are all valid and have not expired. The <user cert> is signed by the <CA cert> and we set ssl_ca_file to the CA certificate PEM file.
CRL checking was introduced somewhere after beta8, if you use openssl > 0.9.7 the ssl_ca_file should contain the CAcertificate _and_ the CRL for your CA, both in PEM format. Hope this helps,
Thanks for the hint, HenkJan !
Adding the CRL PEM to the certificate file indeed fixes the problem with ssl_require_client_cert = yes not working.
dovecot now reports valid certificates. The invalid certificate notices are gone.
-- Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source (#1, Jul 31 2006)
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,FreeBSD for free ! ::::
participants (2)
-
HenkJan Wolthuis
-
M.-A. Lemburg