[Dovecot] ssl_require_crl does not work as expected
Hi
I'm trying to use dovecot with client certificates. We produce our certificates with our on CA and we do NOT use certificate revocation lists.
So I put "ssl_require_crl = no" into 10-ssl.conf. I did not find a solution neither in the wiki nor somewhere else, so I finally started to read the source.
My impression is that openssl will always try to use CRLs. If "ssl_require_crl = no" dovecot will use CRLs but tries to ignore openssl error codes X509_V_ERR_UNABLE_TO_GET_CRL and X509_V_ERR_CRL_HAS_EXPIRED.
This is done in ssl_verify_client_cert() in ssl-proxy-openssl.c line 871, namely
i_info("proxy=%d, require_crl=%d, error=%d", proxy->client_proxy, proxy->set->ssl_require_crl, ctx->error ); if (proxy->client_proxy && !proxy->set->ssl_require_crl && (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL || ctx->error == X509_V_ERR_CRL_HAS_EXPIRED)) { /* no CRL given with the CA list. don't worry about it. */ preverify_ok = 1; }
With my setup proxy->client_proxy is 0. I added the i_info() to check this and with this modification my syslog shows:
Apr 7 13:01:16 d600 dovecot: master: Dovecot v2.1.15 starting up (core dumps disabled) Apr 7 13:01:21 d600 dovecot: auth: Debug: Loading modules from directory: /usr/dovecot/lib/dovecot/auth Apr 7 13:01:21 d600 dovecot: auth: Debug: auth client connected (pid=26175) Apr 7 13:01:22 d600 dovecot: imap-login: proxy=0, require_crl=0, error=3 Apr 7 13:01:22 d600 dovecot: imap-login: Invalid certificate: unable to get certificate CRL: /CN=...user cert.../C=DE Apr 7 13:01:22 d600 dovecot: imap-login: proxy=0, require_crl=0, error=3 Apr 7 13:01:22 d600 dovecot: imap-login: Invalid certificate: unable to get certificate CRL: /CN=...intermedieate cert.../C=DE Apr 7 13:01:22 d600 dovecot: imap-login: proxy=0, require_crl=0, error=3 Apr 7 13:01:22 d600 dovecot: imap-login: Invalid certificate: unable to get certificate CRL: /CN=Root-CA.../C=DE
I dont know what the proxy-stuff is about so instead of ignoring CRL-related errors I tried to disable CRL-checking. I therefore commented out two lines in ssl_proxy_ctx_verify_client() in ssl-proxy-openssl.c line 1004, namely:
// X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | // X509_V_FLAG_CRL_CHECK_ALL);
This tells OpenSSL not to check CRLs. Of course in production code this should be done only if "ssl_require_crl = no".
Similar code is contained in iostream-openssl-context.c, namely in routine ssl_iostream_ctx_verify_remote_cert()
Is this a bug?
Peter
On 7.4.2013, at 14.19, dovecot.pkoch@dfgh.net wrote:
My impression is that openssl will always try to use CRLs. If "ssl_require_crl = no" dovecot will use CRLs but tries to ignore openssl error codes X509_V_ERR_UNABLE_TO_GET_CRL and X509_V_ERR_CRL_HAS_EXPIRED.
This is done in ssl_verify_client_cert() in ssl-proxy-openssl.c line 871, namely
if (proxy->client_proxy && !proxy->set->ssl_require_crl && (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL || ctx->error == X509_V_ERR_CRL_HAS_EXPIRED)) { /* no CRL given with the CA list. don't worry about it. */ preverify_ok = 1; }
After thinking enough about this, I kind of see what's happening:
The ssl_require_crl setting wasn't intended to do what you want it to do. It was meant for Dovecot proxying code where it needs to act as an SSL client to remote server. So the setting should instead have been named ssl_require_client_crl.
For server's client cert checks you should be able to simply generate an empty CRL I think?
I dont know what the proxy-stuff is about so instead of ignoring CRL-related errors I tried to disable CRL-checking. I therefore commented out two lines in ssl_proxy_ctx_verify_client() in ssl-proxy-openssl.c line 1004, namely:
// X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | // X509_V_FLAG_CRL_CHECK_ALL);
If you remove the "proxy->client_proxy &&" check it should work just as well, I think?
Similar code is contained in iostream-openssl-context.c, namely in routine ssl_iostream_ctx_verify_remote_cert()
Now I'm wondering why this code works as SSL client even though I'm not reading CRLs anywhere.. I guess I should spend some time looking into how exactly CRLs should work.
participants (2)
-
dovecot.pkoch@dfgh.net
-
Timo Sirainen