[Dovecot] imap-login hangs after receiving revoked SSL certificate

Алексей Прокопчук alexpro at homelan.lg.ua
Tue Dec 3 14:40:13 EET 2013


Hello again
03.12.2013 00:41, Алексей Прокопчук пишет:

> I have own test CA based
> on EJBCA. Server and all client certificates which I tried to test were
> issued by this CA. Freshest CRL is embedded into ca.pem file which used
> as ca certificate in dovecot.conf.

> Now I'm quite confused: apache works with these certificates as
> expected: accepts valid and refuses revoked. But with dovecot which
> yesterday accepts at least one certificate (which I revoked for testing)
> today rejects all others from same CA.
Thanks for attention and excuse me that occupied your time.
The problem was in CRL generated by EJBCA. Apparently, EJBCA and openSSL
is not entirely compatible. When I remove CRL distribution point field
from my
EJBCA generated CRL, all works as expected: valid certificates accepted,
revoked
certificates rejected. And no problem with CRL scope, so fix from first
reply doesn't
needed, all works with initially installed openssl-1.0.1c

With regard to apache I think it checks certificate validity with OCSP.
And I doesn't embed CRL in ca certificate for apache.
Perhaps it would be nice to implement OCSP validity checking together with
embedded CRL with possibility to choose which one will be used.

Thanks again, especially for a hint about openssl scope loop problem.

With best regards, Alexey Prokopchuk (AP8686-RIPE)



More information about the dovecot mailing list