zhong ming wu
2010-Feb-28 02:45 UTC
[Dovecot] client cert handling not working properly on centos 4.8
Dear List I've successfully installed/configured dovecot 1.2.10 with "require client cert" on centos 5.4 and ubuntu server 9.10 I also need to install on centos 4.8 and after the following the exact same procedure I can only get it working if I commented out ssl_require_client_cert =yes and ssl_username_from_cert = yes from the working config file. This is even after compiling dovecot with openssl 0.9.8l on centos 4.8 If I copy the same "client_ca.crt" from centos 4.8 to centos 5.4 then centos 5.4 does not problem in verifying client cert. That file contain CRL as well as certificate which signs the pkcs12 file installed on the client. The following log entries do not appear on centos 5.4 ------------------ Feb 27 21:17:33 localhost dovecot: pop3-login: Invalid certificate: unable to get certificate CRL: /C=US/ST=New York/L=Astoria/O=SnakeOil Inc./OU=Email Administration/CN=web at example.com Feb 27 21:17:33 localhost dovecot: pop3-login: Valid certificate: /C=US/ST=NY/L=TEST/O=Internet Widgits Pty Ltd ------------------- $ dovecot -n # OS: Linux 2.6.9-89.0.20.EL i686 CentOS release 4.8 (Final) ext3 base_dir: /var/run/dovecot/ protocols: pop3 listen: 192.168.0.110 ssl_ca_file: /etc/pki/certs/dovecot/client_ca.crt ssl_cert_file: /etc/pki/certs/vrane.com/pop.crt ssl_key_file: /etc/pki/private/vrane.com/pop.key ssl_parameters_regenerate: 29 ssl_verify_client_cert: yes verbose_ssl: yes login_dir: /var/run/dovecot//login login_executable: /usr/libexec/dovecot/pop3-login mail_location: maildir:/home/vmail/%d/%n mail_executable: /usr/libexec/dovecot/pop3 mail_plugin_dir: /usr/lib/dovecot/pop3 auth default: user: squab debug: yes ssl_require_client_cert: yes ssl_username_from_cert: yes passdb: driver: passwd-file args: /etc/dovecot/shadow/%d userdb: driver: static args: uid=2000 gid=2000 home=/home/vmail/%d/%n socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix
Possibly Parallel Threads
- Dovecot with SSL Client Certification
- require SSL certs only for encrypted connections?
- exporting client socket to postfix
- mandatory client certificates and crl check in ssl-proxy-openssl.c
- [bug] bit of a clearer error message desired - Can't load CA file... : Success