[Dovecot] ssl_require_crl does not work as expected
dovecot.pkoch at dfgh.net
dovecot.pkoch at dfgh.net
Sun Apr 7 14:19:04 EEST 2013
Hi
I'm trying to use dovecot with client certificates. We produce our
certificates with our
on CA and we do NOT use certificate revocation lists.
So I put "ssl_require_crl = no" into 10-ssl.conf. I did not find a solution
neither
in the wiki nor somewhere else, so I finally started to read the source.
My impression is that openssl will always try to use CRLs. If
"ssl_require_crl = no"
dovecot will use CRLs but tries to ignore openssl error codes
X509_V_ERR_UNABLE_TO_GET_CRL and X509_V_ERR_CRL_HAS_EXPIRED.
This is done in ssl_verify_client_cert() in ssl-proxy-openssl.c line 871,
namely
i_info("proxy=%d, require_crl=%d, error=%d",
proxy->client_proxy, proxy->set->ssl_require_crl, ctx->error
);
if (proxy->client_proxy && !proxy->set->ssl_require_crl &&
(ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL ||
ctx->error == X509_V_ERR_CRL_HAS_EXPIRED)) {
/* no CRL given with the CA list. don't worry about it. */
preverify_ok = 1;
}
With my setup proxy->client_proxy is 0. I added the i_info() to check
this and with this modification my syslog shows:
Apr 7 13:01:16 d600 dovecot: master: Dovecot v2.1.15 starting up (core
dumps disabled)
Apr 7 13:01:21 d600 dovecot: auth: Debug: Loading modules from directory:
/usr/dovecot/lib/dovecot/auth
Apr 7 13:01:21 d600 dovecot: auth: Debug: auth client connected (pid=26175)
Apr 7 13:01:22 d600 dovecot: imap-login: proxy=0, require_crl=0, error=3
Apr 7 13:01:22 d600 dovecot: imap-login: Invalid certificate: unable to
get certificate CRL: /CN=...user cert.../C=DE
Apr 7 13:01:22 d600 dovecot: imap-login: proxy=0, require_crl=0, error=3
Apr 7 13:01:22 d600 dovecot: imap-login: Invalid certificate: unable to
get certificate CRL: /CN=...intermedieate cert.../C=DE
Apr 7 13:01:22 d600 dovecot: imap-login: proxy=0, require_crl=0, error=3
Apr 7 13:01:22 d600 dovecot: imap-login: Invalid certificate: unable to
get certificate CRL: /CN=Root-CA.../C=DE
I dont know what the proxy-stuff is about so instead of ignoring CRL-related
errors I tried to disable CRL-checking. I therefore commented out two lines
in
ssl_proxy_ctx_verify_client() in ssl-proxy-openssl.c line 1004, namely:
// X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
// X509_V_FLAG_CRL_CHECK_ALL);
This tells OpenSSL not to check CRLs. Of course in production code this
should be done only if "ssl_require_crl = no".
Similar code is contained in iostream-openssl-context.c,
namely in routine ssl_iostream_ctx_verify_remote_cert()
Is this a bug?
Peter
More information about the dovecot
mailing list