[Dovecot] Different settings for SSL/non-SSL protocols

Алексей Прокопчук alexpro at homelan.lg.ua
Wed Dec 4 16:49:11 EET 2013 

Greetings
04.12.2013 13:49, Алексей Прокопчук пишет:
> I examined in detail dovecot's behavior with
> 'auth_ssl_require_client_cert=yes'.
> Dovecot misinterprets configuration in case with parameters:
> ssl = yes
> auth_ssl_require_client_cert = yes
>
> If ssl is not equal 'required', so not necessarily required, then
> unencrypted connection permissible.
> And case 'ssl = required' processed separately when connection begins.
> But dovecot answers to client with unencrypted connection "Client didn't
> sent a valid SSL certificate".
> This is wrong because with unencrypted connection can't be any
> certificates at all.
>
> I use dovecot-2.1.16.
> In auth-request-handler.c I found:
>
> if (request->set->ssl_require_client_cert &&
>             !request->valid_client_cert) {
>                 /* we fail without valid certificate */
>                 auth_request_handler_auth_fail(handler, request,
>                         "Client didn't present valid SSL certificate");
>                 return TRUE;
>         }
>
> Here is need to check encrypted connection, and if connection not
> encrypted, condition should not be triggered.
> And as I said above, case with 'ssl = required' processed early and in
> this case we don't get to this place in code.
Finally, I found everything that is needed. I patched
auth-request-handler.c and now:

case1: ssl = yes, auth_ssl_require_client_cert = yes.
If we trying to authenticate via pop3 or imap with SSL enabled, and
valid certificate present, and password is correct, result is success.
If we trying to authenticate via pop3 or imap with SSL enabled, and no
valid certificate present - result is error.
If we trying to authenticate via pop3 or imap without SSL, and password
is correct - result is success.

case2: ssl = required, auth_ssl_require_client_cert = yes
If we trying to authenticate via pop3 or imap with SSL enabled, and
valid certificate present, and password is correct, result is success.
If we trying to authenticate via pop3 or imap with SSL enabled, and no
valid certificate present - result is error.
If we trying to authenticate via pop3 or imap without SSL - result is
error (SSL connection required).

Patch for dovecot-2.1.16 is attached to this message.

Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: dovecot-2.1.16-ssl-auth.patch
Type: text/x-patch
Size: 809 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20131204/2970fa05/attachment.bin>

More information about the dovecot mailing list