Dovecot proxy ignores trusted root certificate store
Alex Bulan
avb at korax.net
Mon Sep 21 17:34:25 UTC 2015
On Mon, 21 Sep 2015, Christian Kivalo wrote:
> Haven't found much about proxying and ssl but found a configuration parameter
> ssl_ca = </path/to/file maybe that works...
>
> http://wiki2.dovecot.org/SSL/DovecotConfiguration section Client certificate
> verification/authentication
ssl_ca serves a different purpose, it's for setting your certificate
authority in order to verify client certs you've issued.
Setting "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" does work to
verify the proxy backend cert, at least the current Dovecot release, but
it's a hack. It's misusing this setting for a different purpose than
documented. I can't rely on this "solution" as it could break in a future
Dovecot release.
The correct setting to use is ssl_client_ca_file. It's just not being
applied in proxy mode.
The patchset that implemented ssl_client_ca_file is here:
http://www.dovecot.org/list/dovecot-cvs/2013-April/023089.html
Dovecot calls the OpenSSL function SSL_CTX_load_verify_locations() to set
the CAfile path, as it should, but apparently only when it's talking to an
imapc storage backend, not when it's acting as a simple proxy.
See http://dovecot.org/pipermail/dovecot/2013-June/090884.html
More information about the dovecot
mailing list