[Dovecot] ssl_require_crl does not work as expected

Mon Apr 8 13:44:39 EEST 2013

On 7.4.2013, at 14.19, dovecot.pkoch at dfgh.net wrote:

> My impression is that openssl will always try to use CRLs. If
> "ssl_require_crl = no"
> dovecot will use CRLs but tries to ignore openssl error codes
> X509_V_ERR_UNABLE_TO_GET_CRL and X509_V_ERR_CRL_HAS_EXPIRED.
> 
> This is done in ssl_verify_client_cert() in ssl-proxy-openssl.c line 871,
> namely
> 
> if (proxy->client_proxy && !proxy->set->ssl_require_crl &&
>   (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL ||
>    ctx->error == X509_V_ERR_CRL_HAS_EXPIRED)) {
>       /* no CRL given with the CA list. don't worry about it. */
>       preverify_ok = 1;
> }

After thinking enough about this, I kind of see what's happening:

The ssl_require_crl setting wasn't intended to do what you want it to do. It was meant for Dovecot proxying code where it needs to act as an SSL client to remote server. So the setting should instead have been named ssl_require_client_crl.

For server's client cert checks you should be able to simply generate an empty CRL I think?

> I dont know what the proxy-stuff is about so instead of ignoring CRL-related
> errors I tried to disable CRL-checking. I therefore commented out two lines
> in
> ssl_proxy_ctx_verify_client() in ssl-proxy-openssl.c line 1004, namely:
> 
> // X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
> //                      X509_V_FLAG_CRL_CHECK_ALL);

If you remove the "proxy->client_proxy &&" check it should work just as well, I think?

> Similar code is contained in iostream-openssl-context.c,
> namely in routine ssl_iostream_ctx_verify_remote_cert()

Now I'm wondering why this code works as SSL client even though I'm not reading CRLs anywhere.. I guess I should spend some time looking into how exactly CRLs should work.