[Dovecot] Authentication by certificats (a bug or my misconfiguration)

Michal Soltys nozo at ziu.info
Sat Jul 8 01:55:03 EEST 2006


Today I've been trying to get dovecot (1.0 rc2) to use certificates
for client side authentication. If my memory serves right, beta8
had no problems with it (although it was some time ago and on different
machine).

Similar setup works perfectly well for postfix (for authentication
that is, on the same machine). Originally I thought I overdid some
certificate settings (keyUsage, nsCertType, etc.), so for the
sake of testing I've simplified the setup to bare minimum - 1 simple
selfsigned root certificate, another 1 for dovecot, and the last
one for the user. Unfortunately, the results were the same.

Configuration:

OpenBSD 3.9 (stable branch), i386, no nfs or afs (only local ffs)
standard OpenSSL 0.9.7g (+ patches)
dovecot 1.0 rc2, compiled from sources, with sysconfdir set
	to /etc and with disabled pam

Tested with the most recent opera and mozilla thunderbird,
using pop3s. (note: both clients work with postfix, authetnicating
only by certificates). They do send requested certificates.

Important dovecot configuration:

ssl_cert_file = /etc/ssl/ca_ppgk/certs/pop3_crt.pem
	(common name - pop3.ppgk.com.pl, valid dns name)
ssl_key_file  = /etc/ssl/ca_ppgk/private/pop3_key.pem
ssl_ca_file   = /etc/ssl/ca_ppgk/ca_crt.pem
ssl_verify_client_cert = yes
verbose_ssl = yes
auth_verbose = yes

ssl_require_client_cert = yes
ssl_username_from_cert = (tested both with yes and no,
	with common name of user certificate set both as
	username at domain or as bare username)

The rest is just pretty standard, using passwd for both
user auth and userdb, with plain and login mechanisms allowed.

I tested "few" sets of certificates (for ca, server and user) with
configurations ranging from quite specific ones (with basicConstraints,
nsCertType, keyUsage, extendedKeyUsage fields set) to very simple ones
(basicConstraints + typical stuff like subjectKeyIdentifier). All of
them gave the same results with dovecot (postfix didn't complain with
any of them either).

This is what I get in logs, when trying to pull mail using opera or mozilla:

Jul  7 14:33:47 ppgk-wa dovecot: Dovecot v1.0.rc2 starting up
Jul  7 14:33:57 ppgk-wa dovecot: pop3-login: Invalid certificate: /C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=adminms at ppgk.com.pl/emailAddress=adminms at ppgk.com.pl
Jul  7 14:33:57 ppgk-wa dovecot: pop3-login: Invalid certificate: /C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=RootCA/emailAddress=admin at ppgk.com.pl
Jul  7 14:33:57 ppgk-wa dovecot: pop3-login: Valid certificate: /C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=RootCA/emailAddress=admin at ppgk.com.pl
Jul  7 14:33:57 ppgk-wa dovecot: pop3-login: Valid certificate: /C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=adminms at ppgk.com.pl/emailAddress=adminms at ppgk.com.pl
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): client in: AUTH	1	PLAIN	service=POP3	secured	lip=192.168.100.77	rip=192.168.100.75	resp=<hidden>
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): PLAIN(?,192.168.100.75): Client didn't present valid SSL certificate
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): client out: FAIL	1	reason=Client didn't present valid SSL certificate
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): client in: AUTH	2	LOGIN	service=POP3	secured	lip=192.168.100.77	rip=192.168.100.75	resp=<hidden>
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): LOGIN(?,192.168.100.75): Client didn't present valid SSL certificate
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): client out: FAIL	2	reason=Client didn't present valid SSL certificate
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): client in: AUTH	3	PLAIN	service=POP3	secured	lip=192.168.100.77	rip=192.168.100.75	resp=<hidden>
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): PLAIN(?,192.168.100.75): Client didn't present valid SSL certificate
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): client out: FAIL	3	reason=Client didn't present valid SSL certificate
Jul  7 14:34:07 ppgk-wa dovecot: pop3-login: Disconnected: method=PLAIN, rip=192.168.100.75, lip=192.168.100.77, TLS


Those two "Invalid certificate" lines, followed immediately by two
"Valid certificate" lines seem suspicious.

Is there some configuration detail I might have missed or messed,
or is it (probably) a bug ?


More information about the dovecot mailing list