dovecot-2.2: *-login: Added ssl_require_crl setting.

dovecot at dovecot.org dovecot at dovecot.org
Sun May 20 03:26:34 EEST 2012 

details:   http://hg.dovecot.org/dovecot-2.2/rev/008c1afeba3c
changeset: 14520:008c1afeba3c
user:      Timo Sirainen <tss at iki.fi>
date:      Wed Apr 25 22:28:03 2012 +0300
description:
*-login: Added ssl_require_crl setting.

diffstat:

 doc/example-config/conf.d/10-ssl.conf |  3 +++
 src/login-common/login-settings.c     |  2 ++
 src/login-common/login-settings.h     |  1 +
 src/login-common/ssl-proxy-openssl.c  |  2 +-
 4 files changed, 7 insertions(+), 1 deletions(-)

diffs (55 lines):

diff -r 96800058f29b -r 008c1afeba3c doc/example-config/conf.d/10-ssl.conf
--- a/doc/example-config/conf.d/10-ssl.conf	Wed Apr 25 22:12:26 2012 +0300
+++ b/doc/example-config/conf.d/10-ssl.conf	Wed Apr 25 22:28:03 2012 +0300
@@ -23,6 +23,9 @@
 # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
 #ssl_ca = 
 
+# Require that CRL check succeeds for client certificates.
+#ssl_require_crl = yes
+
 # Request client to send a certificate. If you also want to require it, set
 # auth_ssl_require_client_cert=yes in auth section.
 #ssl_verify_client_cert = no
diff -r 96800058f29b -r 008c1afeba3c src/login-common/login-settings.c
--- a/src/login-common/login-settings.c	Wed Apr 25 22:12:26 2012 +0300
+++ b/src/login-common/login-settings.c	Wed Apr 25 22:28:03 2012 +0300
@@ -38,6 +38,7 @@
 	DEF(SET_STR, ssl_client_key),
 	DEF(SET_STR, ssl_crypto_device),
 	DEF(SET_BOOL, ssl_verify_client_cert),
+	DEF(SET_BOOL, ssl_require_crl),
 	DEF(SET_BOOL, auth_ssl_require_client_cert),
 	DEF(SET_BOOL, auth_ssl_username_from_cert),
 	DEF(SET_BOOL, verbose_ssl),
@@ -72,6 +73,7 @@
 	.ssl_client_key = "",
 	.ssl_crypto_device = "",
 	.ssl_verify_client_cert = FALSE,
+	.ssl_require_crl = TRUE,
 	.auth_ssl_require_client_cert = FALSE,
 	.auth_ssl_username_from_cert = FALSE,
 	.verbose_ssl = FALSE,
diff -r 96800058f29b -r 008c1afeba3c src/login-common/login-settings.h
--- a/src/login-common/login-settings.h	Wed Apr 25 22:12:26 2012 +0300
+++ b/src/login-common/login-settings.h	Wed Apr 25 22:28:03 2012 +0300
@@ -20,6 +20,7 @@
 	const char *ssl_client_key;
 	const char *ssl_crypto_device;
 	bool ssl_verify_client_cert;
+	bool ssl_require_crl;
 	bool auth_ssl_require_client_cert;
 	bool auth_ssl_username_from_cert;
 	bool verbose_ssl;
diff -r 96800058f29b -r 008c1afeba3c src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c	Wed Apr 25 22:12:26 2012 +0300
+++ b/src/login-common/ssl-proxy-openssl.c	Wed Apr 25 22:28:03 2012 +0300
@@ -864,7 +864,7 @@
 	proxy = SSL_get_ex_data(ssl, extdata_index);
 	proxy->cert_received = TRUE;
 
-	if (proxy->client_proxy &&
+	if (proxy->client_proxy && !proxy->set->ssl_require_crl &&
 	    (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL ||
 	     ctx->error == X509_V_ERR_CRL_HAS_EXPIRED)) {
 		/* no CRL given with the CA list. don't worry about it. */

More information about the dovecot-cvs mailing list