[Dovecot] Authentication by certificats (a bug or my misconfiguration)

Alexander Hoogerhuis alexh at boxed.no
Tue Jul 11 07:49:41 EEST 2006 

Michal Soltys wrote:
> HenkJan Wolthuis wrote:
> 
>> I'm not using .rc2 yet, i'm using dovecot-20060612 with clientcerts / 
>> crls,
>>
>> I'm not sure, but maybe this is the problem:
>> After beta8 CRLchecking was added, ssl_ca_file should be a file with 
>> the ca_cert followed by a crl. (certificate revocation list)
>>
>> If this is the problem, you can:
>> 1) generate a crl, add the crl to ca_cert.pem (crl in PEM format)
>> or
> 
> That was it. Everything works beautifully now, thanks.
> 

I'm trying to get my setup to use certificates for identifying users and 
also making sure that everyone can run TLS. I have a CA that I have 
created an intermediate root from that in turn creates the client 
certificates and something is not working corrent on rc2.

My settings are these:

> ssl_cert_file = /etc/ssl/postfix/server.boxed.no.pem
> ssl_key_file = /etc/ssl/postfix/server.boxed.no.pem
> ssl_ca_file = /etc/ssl/postfix/xxx.boxed.no.crt
> ssl_verify_client_cert = yes

and under the auth section:

>   ssl_require_client_cert = yes
>   ssl_username_from_cert = yes

When running with "verbose_ssl = no" I get this in my logs when a client 
tries to connect:

> Jul 11 06:41:17 server dovecot: Dovecot v1.0.rc2 starting up
> Jul 11 06:41:23 server dovecot: imap-login: Invalid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=xxx.boxed.no/emailAddress=xxx at boxed.no
> Jul 11 06:41:23 server dovecot: imap-login: Invalid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=Boxed Solutions CA/emailAddress=xxx at boxed.no
> Jul 11 06:41:24 server dovecot: imap-login: Aborted login: rip=4.3.2.1, lip=1.2.3.4, TLS

But when I turn on verbose_ssl I get this:

> Jul 11 06:41:45 server dovecot: Dovecot v1.0.rc2 starting up
> Jul 11 06:42:03 server dovecot: imap-login: Invalid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=xxx.boxed.no/emailAddress=xxx at boxed.no
> Jul 11 06:42:03 server dovecot: imap-login: Invalid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=Boxed Solutions CA/emailAddress=xxx at boxed.no
> Jul 11 06:42:03 server dovecot: imap-login: Valid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=Boxed Solutions CA/emailAddress=xxx at boxed.no
> Jul 11 06:42:03 server dovecot: imap-login: Valid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=xxx.boxed.no/emailAddress=xxx at boxed.no
> Jul 11 06:42:03 server dovecot: imap-login: Valid certificate: /C=NO/ST=N/A/L=Oslo/O=Client/OU=Internal/CN=client.boxed.no/emailAddress=test at boxed.no
> Jul 11 06:42:04 server dovecot: imap-login: Aborted login: rip=4.3.2.1, lip=1.2.3.4, TLS

I've gone over and made sure that the CA cert is the most recent and 
that it includes a PEM formatted CRL at the bottom. The CA cert used is 
composed in the order:

1. Root CA
2. Intermediate CA
3. CRL

Any takes as to what is not playing here?

-A

More information about the dovecot mailing list