[Dovecot] ssl-proxy: client certificates and crl check

HenkJan Wolthuis hj.wolthuis at kaw.nl
Tue Jun 13 17:50:52 EEST 2006


Hi Timo,

> Well, at least I want to avoid adding more options to config file.. Why
> do you think it's so much better to disconnect immediately? Do clients
> then give good error messages if that happens?

Tested with thunderbird 1.0.2 and a revoked user certificate, on connect 
I got the following results:

cvs-nightly-20060613 asks for a password, returns "login to server 
localhost failed" and asks for the password again.

modified cvs-nightly-20060613 (ssl_verify_client_cert() returning 
'preverify_ok' instead of '1') returns "could not establish an encrypted 
connection with localhost because your certificate has been revoked" , 
then disconnects. The error messages on the client side are more useful 
in this case. (imho).....

> One possibility would be to send also the ssl_require_valid_client_cert
> setting to the login process, and disconnect immediately if that's yes.
ok....

> One problem with that is however that it's possible to have multiple
> auth blocks with different ssl_require_valid_client_cert values, so the
> code would have to check that all of them have it.

I'm afraid I don't understand... In the config-file there's only "auth default {}"
The wikipage MultipleAuth doesn't seem related to this. Can you explain? 


PS:
I also modified the i_info call in ssl_verify_client_cert() to:

    i_info('"Invalid certificate: %s %s", 
X509_verify_cert_error_string(ctx->error),buf);

This way the verification error is also logged.

-- 

groeten,

HenkJan Wolthuis



More information about the dovecot mailing list