dovecot: Added ssl_cert_username_field setting.

dovecot at dovecot.org dovecot at dovecot.org
Sun Sep 9 05:54:39 EEST 2007 

details:   http://hg.dovecot.org/dovecot/rev/7ad61f00ee55
changeset: 6364:7ad61f00ee55
user:      Timo Sirainen <tss at iki.fi>
date:      Sun Sep 09 05:54:32 2007 +0300
description:
Added ssl_cert_username_field setting.

diffstat:

6 files changed, 24 insertions(+), 2 deletions(-)
dovecot-example.conf                 |    5 +++++
src/login-common/ssl-proxy-openssl.c |   16 ++++++++++++++--
src/master/login-process.c           |    2 ++
src/master/master-settings-defs.c    |    1 +
src/master/master-settings.c         |    1 +
src/master/master-settings.h         |    1 +

diffs (107 lines):

diff -r 2b6e69bda3ec -r 7ad61f00ee55 dovecot-example.conf
--- a/dovecot-example.conf	Sun Sep 09 05:30:20 2007 +0300
+++ b/dovecot-example.conf	Sun Sep 09 05:54:32 2007 +0300
@@ -106,6 +106,11 @@
 # Request client to send a certificate. If you also want to require it, set
 # ssl_require_client_cert=yes in auth section.
 #ssl_verify_client_cert = no
+
+# Which field from certificate to use for username. commonName and
+# x500UniqueIdentifier are the usual choices. You'll also need to set
+# ssl_username_from_cert=yes.
+#ssl_cert_username_field = commonName
 
 # How often to regenerate the SSL parameters file. Generation is quite CPU
 # intensive operation. The value is in hours, 0 disables regeneration
diff -r 2b6e69bda3ec -r 7ad61f00ee55 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c	Sun Sep 09 05:30:20 2007 +0300
+++ b/src/login-common/ssl-proxy-openssl.c	Sun Sep 09 05:54:32 2007 +0300
@@ -66,6 +66,7 @@ static SSL_CTX *ssl_ctx;
 static SSL_CTX *ssl_ctx;
 static struct hash_table *ssl_proxies;
 static struct ssl_parameters ssl_params;
+static int ssl_username_nid;
 
 static void plain_read(struct ssl_proxy *proxy);
 static void ssl_read(struct ssl_proxy *proxy);
@@ -522,7 +523,7 @@ const char *ssl_proxy_get_peer_name(stru
 		return NULL; /* we should have had it.. */
 
 	if (X509_NAME_get_text_by_NID(X509_get_subject_name(x509),
-				      NID_commonName, buf, sizeof(buf)) < 0)
+				      ssl_username_nid, buf, sizeof(buf)) < 0)
 		name = "";
 	else
 		name = t_strndup(buf, sizeof(buf));
@@ -681,7 +682,7 @@ void ssl_proxy_init(void)
 void ssl_proxy_init(void)
 {
 	static char dovecot[] = "dovecot";
-	const char *cafile, *certfile, *keyfile, *cipher_list;
+	const char *cafile, *certfile, *keyfile, *cipher_list, *username_field;
 	char *password;
 	unsigned char buf;
 
@@ -760,6 +761,17 @@ void ssl_proxy_init(void)
 					   SSL_load_client_CA_file(cafile));
 	}
 
+	username_field = getenv("SSL_CERT_USERNAME_FIELD");
+	if (username_field == NULL)
+		ssl_username_nid = NID_commonName;
+	else {
+		ssl_username_nid = OBJ_txt2nid(username_field);
+		if (ssl_username_nid == NID_undef) {
+			i_fatal("Invalid ssl_cert_username_field: %s",
+				username_field);
+		}
+	}
+
 	/* PRNG initialization might want to use /dev/urandom, make sure it
 	   does it before chrooting. We might not have enough entropy at
 	   the first try, so this function may fail. It's still been
diff -r 2b6e69bda3ec -r 7ad61f00ee55 src/master/login-process.c
--- a/src/master/login-process.c	Sun Sep 09 05:30:20 2007 +0300
+++ b/src/master/login-process.c	Sun Sep 09 05:54:32 2007 +0300
@@ -542,6 +542,8 @@ static void login_process_init_env(struc
 			env_put(t_strconcat("SSL_CIPHER_LIST=",
 					    set->ssl_cipher_list, NULL));
 		}
+		env_put(t_strconcat("SSL_CERT_USERNAME_FIELD=",
+				    set->ssl_cert_username_field, NULL));
 		if (set->ssl_verify_client_cert)
 			env_put("SSL_VERIFY_CLIENT_CERT=1");
 	}
diff -r 2b6e69bda3ec -r 7ad61f00ee55 src/master/master-settings-defs.c
--- a/src/master/master-settings-defs.c	Sun Sep 09 05:30:20 2007 +0300
+++ b/src/master/master-settings-defs.c	Sun Sep 09 05:54:32 2007 +0300
@@ -27,6 +27,7 @@ static struct setting_def setting_defs[]
 	DEF_STR(ssl_key_password),
 	DEF_INT(ssl_parameters_regenerate),
 	DEF_STR(ssl_cipher_list),
+	DEF_STR(ssl_cert_username_field),
 	DEF_BOOL(ssl_verify_client_cert),
 	DEF_BOOL(disable_plaintext_auth),
 	DEF_BOOL(verbose_ssl),
diff -r 2b6e69bda3ec -r 7ad61f00ee55 src/master/master-settings.c
--- a/src/master/master-settings.c	Sun Sep 09 05:30:20 2007 +0300
+++ b/src/master/master-settings.c	Sun Sep 09 05:54:32 2007 +0300
@@ -183,6 +183,7 @@ struct settings default_settings = {
 	MEMBER(ssl_key_password) "",
 	MEMBER(ssl_parameters_regenerate) 168,
 	MEMBER(ssl_cipher_list) "",
+	MEMBER(ssl_cert_username_field) "commonName",
 	MEMBER(ssl_verify_client_cert) FALSE,
 	MEMBER(disable_plaintext_auth) TRUE,
 	MEMBER(verbose_ssl) FALSE,
diff -r 2b6e69bda3ec -r 7ad61f00ee55 src/master/master-settings.h
--- a/src/master/master-settings.h	Sun Sep 09 05:30:20 2007 +0300
+++ b/src/master/master-settings.h	Sun Sep 09 05:54:32 2007 +0300
@@ -41,6 +41,7 @@ struct settings {
 	const char *ssl_key_password;
 	unsigned int ssl_parameters_regenerate;
 	const char *ssl_cipher_list;
+	const char *ssl_cert_username_field;
 	bool ssl_verify_client_cert;
 	bool disable_plaintext_auth;
 	bool verbose_ssl;

More information about the dovecot-cvs mailing list