[Dovecot] ssl-proxy: client certificates and crl check

Timo Sirainen tss at iki.fi
Sun Jun 11 17:51:39 EEST 2006


On Thu, 2006-06-01 at 10:13 +0200, HenkJan Wolthuis wrote:
> Hi,
> 
> I've attached a new version of my patch against ssl_proxy-openssl.c
> which:

Thanks, committed to CVS now although with some changes.

> - ssl_verify_client_cert now returns 0 in case of an invalid cert. was
> there a reason why it always returned 1?

Yes. ssl_verify_client_cert=yes doesn't require the certificate to be
valid. Only ssl_require_valid_client_cert=yes in auth settings does
that. This allows for some people to authenticate with certificates and
others to authenticate the usual way. So I dropped this part of your
patch.

> +	if( (store=SSL_CTX_get_cert_store(ssl_ctx)) != NULL )
> +		{ X509_STORE_set_flags( store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); }
> +	else
> +		{ i_warning("X509 get cert store failed..."); }	

Can it ever return NULL? Looking at the manual page it didn't seem so,
so I dropped the NULL-check from here.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20060611/11b9b17e/attachment.pgp


More information about the dovecot mailing list