[Dovecot] ssl-proxy: client certificates and crl check

HenkJan Wolthuis hj.wolthuis at kaw.nl
Mon Jun 12 13:30:07 EEST 2006


Hi Timo,

> Thanks, committed to CVS now although with some changes.

Nice!

>> - ssl_verify_client_cert now returns 0 in case of an invalid cert. was
>> there a reason why it always returned 1?

> Yes. ssl_verify_client_cert=yes doesn't require the certificate to be
> valid. Only ssl_require_valid_client_cert=yes in auth settings does
> that. This allows for some people to authenticate with certificates and
> others to authenticate the usual way. So I dropped this part of your
> patch.

OK, you also changed SSL_VERIFY_FAIL_IF_NO_PEER_CERT back to 
SSL_VERIFY_CLIENT_ONCE, same reason? Maybe the valid-client-cert-feature 
can have a conf.file switch, or a #define in the sourcecode, what's your 
opinion?

>> +	if( (store=SSL_CTX_get_cert_store(ssl_ctx)) != NULL )

> Can it ever return NULL? Looking at the manual page it didn't seem so,
> so I dropped the NULL-check from here.

No, SSL_CTX_new() returns NULL (1) if the "store" can't be malloc'ed, 
ssl-proxy-openssl.c checks this and fails with i_fatal(). So the 
NULL-check can be dropped. (1: openssl 0.9.7d source)

-- 

groeten,

HenkJan Wolthuis



More information about the dovecot mailing list