[PATCH] Fix for client certificate validation does not work

[Nick Edwards]

what problem with startssl.com? lots of people use them for a long
time with no problem

On 2/11/15, Daniel Dickinson <dovecot at daniel.thecshore.com> wrote:
> Hi all,
>
> As I reported earlier (with a typo in the work [BUG]) client
> certification validation *does not* work even if you do everything
> exactly according to all documentation and attempts at helpful advice.
>
> I have seen this issue with both startssl.com and self-signed
> certificates, and based on what I've seen from searching the web, this
> is a problem that has gotten little attention because most people don't
> bother, but are more than willing to give out useless advice on how to
> make it work.
>
> Furthermore the issue does NOT occur with the cyrus-imap mail server, so
> it is definitely a server-side issue.
>
> The actual issue is that the code for calling OpenSSL that constructs
> the client certificate validation is in fact WRONG.
>
> I don't have a perfect patch as I was mostly interested in getting it
> working for my needs and didn't bother with constructing the list of CA
> names to send to the client, preferring to let OpenSSL handle all that
> sort of thing.
>
> What it comes down to is that the code, which probably worked at one
> point, was not correctly updated at some point and since then client
> side certificate validation has been BROKEN.
>
> I have patched against 2.2.9, however I have seen this problem in the
> versions in both Debian Wheezy and Debian Jessie as well.
>
> As you will see from the patch (which is an attachment as people tend to
> complain that patches get mangled when you inline them, and even if I
> have a good client I've gotten heck because the receiver didn't.
>
> Regards,
>
> Daniel
>
>