dovecot: Added ssl_cert_username_field setting.
dovecot at dovecot.org
dovecot at dovecot.org
Sun Sep 9 05:54:39 EEST 2007
details: http://hg.dovecot.org/dovecot/rev/7ad61f00ee55
changeset: 6364:7ad61f00ee55
user: Timo Sirainen <tss at iki.fi>
date: Sun Sep 09 05:54:32 2007 +0300
description:
Added ssl_cert_username_field setting.
diffstat:
6 files changed, 24 insertions(+), 2 deletions(-)
dovecot-example.conf | 5 +++++
src/login-common/ssl-proxy-openssl.c | 16 ++++++++++++++--
src/master/login-process.c | 2 ++
src/master/master-settings-defs.c | 1 +
src/master/master-settings.c | 1 +
src/master/master-settings.h | 1 +
diffs (107 lines):
diff -r 2b6e69bda3ec -r 7ad61f00ee55 dovecot-example.conf
--- a/dovecot-example.conf Sun Sep 09 05:30:20 2007 +0300
+++ b/dovecot-example.conf Sun Sep 09 05:54:32 2007 +0300
@@ -106,6 +106,11 @@
# Request client to send a certificate. If you also want to require it, set
# ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
+
+# Which field from certificate to use for username. commonName and
+# x500UniqueIdentifier are the usual choices. You'll also need to set
+# ssl_username_from_cert=yes.
+#ssl_cert_username_field = commonName
# How often to regenerate the SSL parameters file. Generation is quite CPU
# intensive operation. The value is in hours, 0 disables regeneration
diff -r 2b6e69bda3ec -r 7ad61f00ee55 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c Sun Sep 09 05:30:20 2007 +0300
+++ b/src/login-common/ssl-proxy-openssl.c Sun Sep 09 05:54:32 2007 +0300
@@ -66,6 +66,7 @@ static SSL_CTX *ssl_ctx;
static SSL_CTX *ssl_ctx;
static struct hash_table *ssl_proxies;
static struct ssl_parameters ssl_params;
+static int ssl_username_nid;
static void plain_read(struct ssl_proxy *proxy);
static void ssl_read(struct ssl_proxy *proxy);
@@ -522,7 +523,7 @@ const char *ssl_proxy_get_peer_name(stru
return NULL; /* we should have had it.. */
if (X509_NAME_get_text_by_NID(X509_get_subject_name(x509),
- NID_commonName, buf, sizeof(buf)) < 0)
+ ssl_username_nid, buf, sizeof(buf)) < 0)
name = "";
else
name = t_strndup(buf, sizeof(buf));
@@ -681,7 +682,7 @@ void ssl_proxy_init(void)
void ssl_proxy_init(void)
{
static char dovecot[] = "dovecot";
- const char *cafile, *certfile, *keyfile, *cipher_list;
+ const char *cafile, *certfile, *keyfile, *cipher_list, *username_field;
char *password;
unsigned char buf;
@@ -760,6 +761,17 @@ void ssl_proxy_init(void)
SSL_load_client_CA_file(cafile));
}
+ username_field = getenv("SSL_CERT_USERNAME_FIELD");
+ if (username_field == NULL)
+ ssl_username_nid = NID_commonName;
+ else {
+ ssl_username_nid = OBJ_txt2nid(username_field);
+ if (ssl_username_nid == NID_undef) {
+ i_fatal("Invalid ssl_cert_username_field: %s",
+ username_field);
+ }
+ }
+
/* PRNG initialization might want to use /dev/urandom, make sure it
does it before chrooting. We might not have enough entropy at
the first try, so this function may fail. It's still been
diff -r 2b6e69bda3ec -r 7ad61f00ee55 src/master/login-process.c
--- a/src/master/login-process.c Sun Sep 09 05:30:20 2007 +0300
+++ b/src/master/login-process.c Sun Sep 09 05:54:32 2007 +0300
@@ -542,6 +542,8 @@ static void login_process_init_env(struc
env_put(t_strconcat("SSL_CIPHER_LIST=",
set->ssl_cipher_list, NULL));
}
+ env_put(t_strconcat("SSL_CERT_USERNAME_FIELD=",
+ set->ssl_cert_username_field, NULL));
if (set->ssl_verify_client_cert)
env_put("SSL_VERIFY_CLIENT_CERT=1");
}
diff -r 2b6e69bda3ec -r 7ad61f00ee55 src/master/master-settings-defs.c
--- a/src/master/master-settings-defs.c Sun Sep 09 05:30:20 2007 +0300
+++ b/src/master/master-settings-defs.c Sun Sep 09 05:54:32 2007 +0300
@@ -27,6 +27,7 @@ static struct setting_def setting_defs[]
DEF_STR(ssl_key_password),
DEF_INT(ssl_parameters_regenerate),
DEF_STR(ssl_cipher_list),
+ DEF_STR(ssl_cert_username_field),
DEF_BOOL(ssl_verify_client_cert),
DEF_BOOL(disable_plaintext_auth),
DEF_BOOL(verbose_ssl),
diff -r 2b6e69bda3ec -r 7ad61f00ee55 src/master/master-settings.c
--- a/src/master/master-settings.c Sun Sep 09 05:30:20 2007 +0300
+++ b/src/master/master-settings.c Sun Sep 09 05:54:32 2007 +0300
@@ -183,6 +183,7 @@ struct settings default_settings = {
MEMBER(ssl_key_password) "",
MEMBER(ssl_parameters_regenerate) 168,
MEMBER(ssl_cipher_list) "",
+ MEMBER(ssl_cert_username_field) "commonName",
MEMBER(ssl_verify_client_cert) FALSE,
MEMBER(disable_plaintext_auth) TRUE,
MEMBER(verbose_ssl) FALSE,
diff -r 2b6e69bda3ec -r 7ad61f00ee55 src/master/master-settings.h
--- a/src/master/master-settings.h Sun Sep 09 05:30:20 2007 +0300
+++ b/src/master/master-settings.h Sun Sep 09 05:54:32 2007 +0300
@@ -41,6 +41,7 @@ struct settings {
const char *ssl_key_password;
unsigned int ssl_parameters_regenerate;
const char *ssl_cipher_list;
+ const char *ssl_cert_username_field;
bool ssl_verify_client_cert;
bool disable_plaintext_auth;
bool verbose_ssl;
More information about the dovecot-cvs
mailing list