CA certs for Dovecot-as-client (proxy)
Hi,
When using proxy=y, ssl=yes (Dovecot 2.3.13) I consistently get this logged when trying to validate the remote server cert.
"Disconnected by server: Connection closed: Received invalid SSL certificate: unable to get local issuer certificate: /C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 (check ssl_client_ca_* settings?)"
As I read the 2.3.x documentation (and the error logged) Dovecot needs to have the trusted CA cert with ssl_client_ca_file or ssl_client_ca_dir.
So, I've tried every combination of putting the cert (and the GlobalSign root CA signing it) in ssl_client_ca_dir and individually and as a bundle in ssl_client_ca_file without luck.
But even though I can verify the cert with "openssl s_client -connect" and with "openssl verify", no matter what I put in the ssl_client_ca_* settings it seems Dovecot just ignores it.
It does complain though, if I point it to a non-existent file, but not if I just fill the file with invalid cert data which can't be parsed.
I end up getting in doubt whether it consults the cert data at all.
I'm a bit at loss on how to debug this further, short of running it in gdb. "verbose_ssl" doesn't really say anything about the process of find a CA cert to check with.
Have I misunderstood the config?
/Peter
On 21/04/2021 12:56 Peter Mogensen apm@b-one.net wrote:
Hi,
When using proxy=y, ssl=yes (Dovecot 2.3.13) I consistently get this logged when trying to validate the remote server cert.
"Disconnected by server: Connection closed: Received invalid SSL certificate: unable to get local issuer certificate: /C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 (check ssl_client_ca_* settings?)"
As I read the 2.3.x documentation (and the error logged) Dovecot needs to have the trusted CA cert with ssl_client_ca_file or ssl_client_ca_dir.
So, I've tried every combination of putting the cert (and the GlobalSign root CA signing it) in ssl_client_ca_dir and individually and as a bundle in ssl_client_ca_file without luck.
But even though I can verify the cert with "openssl s_client -connect" and with "openssl verify", no matter what I put in the ssl_client_ca_* settings it seems Dovecot just ignores it.
It does complain though, if I point it to a non-existent file, but not if I just fill the file with invalid cert data which can't be parsed.
I end up getting in doubt whether it consults the cert data at all.
I'm a bit at loss on how to debug this further, short of running it in gdb. "verbose_ssl" doesn't really say anything about the process of find a CA cert to check with.
Have I misunderstood the config?
/Peter
Hi!
This is unfortunately a bug, see note in https://doc.dovecot.org/configuration_manual/authentication/proxies/
"ssl_client_ca_dir or ssl_client_ca_file aren’t currently used for verifying the remote certificate, although ideally they will be in a future Dovecot version. For now you need to add the trusted remote certificates to ssl_ca."
Aki
On Wednesday, April 21, 2021 2:13:01 AM AKDT Aki Tuomi wrote: that over every little bug or issue to have it fixed, then there's quite a mob
Hi!
This is unfortunately a bug, see note in https://doc.dovecot.org/configuration_manual/authentication/proxies/
"ssl_client_ca_dir or ssl_client_ca_file aren’t currently used for verifying the remote certificate, although ideally they will be in a future Dovecot version. For now you need to add the trusted remote certificates to ssl_ca."
Aki FWIW, I always thought Aki was a man's name, but they're calling it a baby girl's name if you look it up on Google. You couldn't make this stuff up if you tried.
- https://www.thebump.com/b/aki-baby-name I don't like the Microsoft-dominated scene here any more than anyone else does. If a guy has to clear his throat in a court of law or something like
of organized criminal spammers on the mailing list, and of course the law enforcement community is always on their side when they spam vice pills down our throats via e-mail.
participants (3)
-
Aki Tuomi
-
justina colmena ~biz
-
Peter Mogensen