Version: 2.1.4 OS: Gentoo stable/amd64 OpenSSL version: 1.0.0h

I'm having a slight problem with the client certificates in Dovecot 2.1.4. I've set-up the client certificate verification/authentication, and it seems that Dovecot is choking on the trustchain with CRL's that I'm providing to it (attached to this mail).

When I enable the client authentication using certificates, and pick the certificate from my client (I've also tried it out with gnutls-cli as well), I get the following errors in Dovecot's log:

imap-login: Info: Invalid certificate: Different CRL scope: /CN=Example Root CA/O=Example Inc./C=RS

As per the wiki2 configuration page, I've set up the truststore in the following order (everything PEM-encoded):

Example Person CA Certificate Example Person CA CRL Example Root CA Certificate Example Root CA CRL

Person CA is the one issuing the end-entity certificates, of course. I'm also attaching the certificate I've used for testing.

On additional note, the imap-login process also got stuck writing out the error message to the log file, refusing to die when receiving the SIGTERM (had to send SIGKILL).

A similar set-up used to work under Dovecot in Debian Squeeze (version 1.2.15). The same file copied over to Dovecot 2.1.4's configuration won't work.

I've compiled Dovecot by hand, and I'm not running it in any kind of chroot (this is a developer set-up so I could add support for rfc822Name username extraction I mentioned a week or so ago without messing around as root).

Best regards

-- Branko Majic Jabber: branko@majic.rs Please use only Free formats when sending attachments to me.

Бранко Мајић Џабер: branko@majic.rs Молим вас да додатке шаљете искључиво у слободним форматима.