[Dovecot] ssl-proxy: client certificates and crl check

HenkJan Wolthuis hj.wolthuis at kaw.nl
Thu Jun 1 11:13:58 EEST 2006 

Skipped content of type multipart/alternative-------------- next part --------------
--- ssl-proxy-openssl.c.orig	2006-04-04 10:32:58.000000000 +0200
+++ ssl-proxy-openssl.c	2006-06-01 09:24:57.000000000 +0200
@@ -498,7 +498,7 @@
 const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy)
 {
 	X509 *x509;
-	char buf[1024];
+	char buf[256];
 	const char *name;
 
 	if (!ssl_proxy_has_valid_client_cert(proxy))
@@ -508,10 +508,16 @@
 	if (x509 == NULL)
 		return NULL; /* we should have had it.. */
 
-	X509_NAME_oneline(X509_get_subject_name(x509), buf, sizeof(buf));
-	name = t_strndup(buf, sizeof(buf));
+	/* HJHJ */
+	/* the X509_N_gtbN can return -1 without 0-terminating buf */
+	/* if the call succeeds buf is 0-terminated (openssl 0.9.7e / 0.9.8b src) */
+	buf[0] = '\0';
+	if( X509_NAME_get_text_by_NID(X509_get_subject_name(x509),NID_commonName,buf,sizeof(buf)) < 0 )
+		{ buf[0] = '\0'; }
+	name = t_strndup(buf, sizeof(buf) );
 	X509_free(x509);
-
+	/* HJHJ */
+	
 	return *name == '\0' ? NULL : name;
 }
 
@@ -582,10 +588,22 @@
 	proxy = SSL_get_ex_data(ssl, extdata_index);
 
 	proxy->cert_received = TRUE;
+	
+	/* HJHJ */
+	char buf[1024];
+	X509_NAME_oneline( X509_get_subject_name(ctx->current_cert),buf,sizeof(buf));
+
 	if (!preverify_ok)
+		{
 		proxy->cert_broken = TRUE;
+		i_warning("BAD CERT %s: %s",X509_verify_cert_error_string(ctx->error),buf);
+		}
+	else
+		{ i_warning("CERT: %s",buf); } /* logging */
 
-	return 1;
+	return preverify_ok;
+	/* HJHJ */
+	
 }
 
 static int
@@ -666,10 +684,20 @@
 
 	if (getenv("SSL_VERIFY_CLIENT_CERT") != NULL) {
 		SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER |
-				   SSL_VERIFY_CLIENT_ONCE,
+				   SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
 				   ssl_verify_client_cert);
 	}
 
+	/* HJHJ */
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+	X509_STORE *store;
+	if( (store=SSL_CTX_get_cert_store(ssl_ctx)) != NULL )
+		{ X509_STORE_set_flags( store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); }
+	else
+		{ i_warning("X509 get cert store failed..."); }	
+#endif
+	/* HJHJ */
+
 	/* PRNG initialization might want to use /dev/urandom, make sure it
 	   does it before chrooting. We might not have enough entropy at
 	   the first try, so this function may fail. It's still been

More information about the dovecot mailing list