[Dovecot] ssl_require_crl does not work as expected

dovecot.pkoch at dfgh.net dovecot.pkoch at dfgh.net
Sun Apr 7 14:19:04 EEST 2013 

Hi

I'm trying to use dovecot with client certificates. We produce our
certificates with our
on CA and we do NOT use certificate revocation lists.

So I put "ssl_require_crl = no" into 10-ssl.conf. I did not find a solution
neither
in the wiki nor somewhere else, so I finally started to read the source.

My impression is that openssl will always try to use CRLs. If
"ssl_require_crl = no"
dovecot will use CRLs but tries to ignore openssl error codes
X509_V_ERR_UNABLE_TO_GET_CRL and X509_V_ERR_CRL_HAS_EXPIRED.

This is done in ssl_verify_client_cert() in ssl-proxy-openssl.c line 871,
namely

i_info("proxy=%d, require_crl=%d, error=%d",
        proxy->client_proxy, proxy->set->ssl_require_crl, ctx->error
);
if (proxy->client_proxy && !proxy->set->ssl_require_crl &&
    (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL ||
     ctx->error == X509_V_ERR_CRL_HAS_EXPIRED)) {
        /* no CRL given with the CA list. don't worry about it. */
        preverify_ok = 1;
}

With my setup proxy->client_proxy is 0. I added the i_info() to check
this and with this modification my syslog shows:

Apr  7 13:01:16 d600 dovecot: master: Dovecot v2.1.15 starting up (core
dumps disabled)
Apr  7 13:01:21 d600 dovecot: auth: Debug: Loading modules from directory:
/usr/dovecot/lib/dovecot/auth
Apr  7 13:01:21 d600 dovecot: auth: Debug: auth client connected (pid=26175)
Apr  7 13:01:22 d600 dovecot: imap-login: proxy=0, require_crl=0, error=3
Apr  7 13:01:22 d600 dovecot: imap-login: Invalid certificate: unable to
get certificate CRL: /CN=...user cert.../C=DE
Apr  7 13:01:22 d600 dovecot: imap-login: proxy=0, require_crl=0, error=3
Apr  7 13:01:22 d600 dovecot: imap-login: Invalid certificate: unable to
get certificate CRL: /CN=...intermedieate cert.../C=DE
Apr  7 13:01:22 d600 dovecot: imap-login: proxy=0, require_crl=0, error=3
Apr  7 13:01:22 d600 dovecot: imap-login: Invalid certificate: unable to
get certificate CRL: /CN=Root-CA.../C=DE

I dont know what the proxy-stuff is about so instead of ignoring CRL-related
errors I tried to disable CRL-checking. I therefore commented out two lines
in
ssl_proxy_ctx_verify_client() in ssl-proxy-openssl.c line 1004, namely:

// X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
//                      X509_V_FLAG_CRL_CHECK_ALL);

This tells OpenSSL not to check CRLs. Of course in production code this
should be done only if "ssl_require_crl = no".

Similar code is contained in iostream-openssl-context.c,
namely in routine ssl_iostream_ctx_verify_remote_cert()

Is this a bug?

Peter

More information about the dovecot mailing list