]UG] Dovecot 2.2.9 SSL client cert verification fails: openssl verify: OK

Daniel Dickinson dovecot-bugs at daniel.thecshore.com
Sat Oct 11 06:14:35 UTC 2014 

Greetings all,

I have verified a bug that has long been attributed to lack of knowledge
on the part of the user.

Dovecot rejects StartSSL client certificates due to reject StartSSL root
CA when doing client verification even though the appropriately
constructed ca-bundle.pem has been created and applied vi ssl_ca =
</etc/dovecot/ca-bundle.pem.

openssl verify -CAfile ca-bundle.pem -crl_check_all -policy_check
-x509_strict -verbose client-cert.pem returns:

client-cert.pem: OK

However dovecot reports the following:

Oct 11 01:41:17 hostname dovecot: imap-login: Invalid certificate:
unable to get local issuer certificate: /C=IL/O=StartCom Ltd./OU=Secure
Digital Certificate Signing/CN=StartCom Certification Authority
Oct 11 01:41:17 hostname dovecot: imap-login: Invalid certificate:
certificate not trusted: /C=IL/O=StartCom Ltd./OU=Secure Digital
Certificate Signing/CN=StartCom Certification Authority
Oct 11 01:41:17 hostname dovecot: imap-login: Invalid certificate:
unable to get certificate CRL: /C=IL/O=StartCom Ltd./OU=Secure Digital
Certificate Signing/CN=StartCom Certification Authority
Oct 11 01:41:17 hostname dovecot: imap-login: Valid certificate:
/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
Class 1 Primary Intermediate Client CA

Also reports the client certificate as valid.

The certificate bundle was created as follows:

openssl x509 -in sub.class1.client.pem -subject -issuer >ca-bundle.pem
cat class1-client-crl.pem >>ca-bundle.pem
openssl x509 -in startcom-root-ca.pem -subject -issuer >>ca-bundle.pem
cat startcom-root-ca-crl.pem >>ca-bundle.pem

Furthermore exim, Thunderbird, and Firefox are all perfectly happy with
the certificates (and exim has no problem verifying the client
certificates).

Further, there are many more messages regarding issues with users of
dovecot having issues with StartCom client certificates who have
reported following all the steps than with Cyrus or Courier.

Oh, and client verification of server-side certificate works fine with
server-side certificate bundle (cat server.pem startcom-intermediate.pem
startcom-root-ca.pem >dovecot.pem)

Relevant dovecot -n included below:

auth_debug = yes
auth_mechanisms = plain login digest-md5 cram-md5 otp
auth_ssl_require_client_cert = yes
auth_verbose = yes
ssl = required
ssl_ca = </etc/dovecot/ca-bundle.pem
ssl_cert = </etc/dovecot/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem
ssl_verify_client_cert = yes
verbose_ssl = yes

OS is Debian Wheezy with latest updates and (just today in hopes it had
been fixed, same error occurs with Wheezy's dovecot = 2.1.7) dovecot
2.2.9 from backports.

amd64 architecture.

Please CC me as I am not subscribed to the list.

Regards,

Daniel


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20141011/be15c802/attachment-0001.sig>

More information about the dovecot mailing list