dovecot-2.1: *-login: Added ssl_require_crl setting.
dovecot at dovecot.org
dovecot at dovecot.org
Wed Apr 25 22:28:10 EEST 2012
details: http://hg.dovecot.org/dovecot-2.1/rev/008c1afeba3c
changeset: 14484:008c1afeba3c
user: Timo Sirainen <tss at iki.fi>
date: Wed Apr 25 22:28:03 2012 +0300
description:
*-login: Added ssl_require_crl setting.
diffstat:
doc/example-config/conf.d/10-ssl.conf | 3 +++
src/login-common/login-settings.c | 2 ++
src/login-common/login-settings.h | 1 +
src/login-common/ssl-proxy-openssl.c | 2 +-
4 files changed, 7 insertions(+), 1 deletions(-)
diffs (55 lines):
diff -r 96800058f29b -r 008c1afeba3c doc/example-config/conf.d/10-ssl.conf
--- a/doc/example-config/conf.d/10-ssl.conf Wed Apr 25 22:12:26 2012 +0300
+++ b/doc/example-config/conf.d/10-ssl.conf Wed Apr 25 22:28:03 2012 +0300
@@ -23,6 +23,9 @@
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca =
+# Require that CRL check succeeds for client certificates.
+#ssl_require_crl = yes
+
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
diff -r 96800058f29b -r 008c1afeba3c src/login-common/login-settings.c
--- a/src/login-common/login-settings.c Wed Apr 25 22:12:26 2012 +0300
+++ b/src/login-common/login-settings.c Wed Apr 25 22:28:03 2012 +0300
@@ -38,6 +38,7 @@
DEF(SET_STR, ssl_client_key),
DEF(SET_STR, ssl_crypto_device),
DEF(SET_BOOL, ssl_verify_client_cert),
+ DEF(SET_BOOL, ssl_require_crl),
DEF(SET_BOOL, auth_ssl_require_client_cert),
DEF(SET_BOOL, auth_ssl_username_from_cert),
DEF(SET_BOOL, verbose_ssl),
@@ -72,6 +73,7 @@
.ssl_client_key = "",
.ssl_crypto_device = "",
.ssl_verify_client_cert = FALSE,
+ .ssl_require_crl = TRUE,
.auth_ssl_require_client_cert = FALSE,
.auth_ssl_username_from_cert = FALSE,
.verbose_ssl = FALSE,
diff -r 96800058f29b -r 008c1afeba3c src/login-common/login-settings.h
--- a/src/login-common/login-settings.h Wed Apr 25 22:12:26 2012 +0300
+++ b/src/login-common/login-settings.h Wed Apr 25 22:28:03 2012 +0300
@@ -20,6 +20,7 @@
const char *ssl_client_key;
const char *ssl_crypto_device;
bool ssl_verify_client_cert;
+ bool ssl_require_crl;
bool auth_ssl_require_client_cert;
bool auth_ssl_username_from_cert;
bool verbose_ssl;
diff -r 96800058f29b -r 008c1afeba3c src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c Wed Apr 25 22:12:26 2012 +0300
+++ b/src/login-common/ssl-proxy-openssl.c Wed Apr 25 22:28:03 2012 +0300
@@ -864,7 +864,7 @@
proxy = SSL_get_ex_data(ssl, extdata_index);
proxy->cert_received = TRUE;
- if (proxy->client_proxy &&
+ if (proxy->client_proxy && !proxy->set->ssl_require_crl &&
(ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL ||
ctx->error == X509_V_ERR_CRL_HAS_EXPIRED)) {
/* no CRL given with the CA list. don't worry about it. */
More information about the dovecot-cvs
mailing list