The result is the same with or without "<" before the file path. With "<" the inode atime is updated at Dovecot startup, so the file is at least opened, but Dovecot still can't verify the cert. The only place in the Wiki that shows an example of ssl_client_ca_file is on this page, and there's no "<" in front of the file path: http://wiki2.dovecot.org/Replication (quote) The client must be able to verify that the SSL certificate is valid, so you need to specify the directory containing valid SSL CA roots: ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat (end quote) On Mon, 21 Sep 2015, Christian Kivalo wrote:> Hi > >> I've pointed ssl_client_ca_file to my root certificate store, but I >> suspect ssl_client_ca_file is only used in imapc context. It seems to >> be ignored in proxy context. >> >> doveconf -n ssl_client_ca_file: >> ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt > > You are missing the "<" before the file path > > Try ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt > > See http://wiki2.dovecot.org/SSL/DovecotConfiguration > > Regards > Christian >
Christian Kivalo
2015-Sep-21 08:50 UTC
Dovecot proxy ignores trusted root certificate store
On 2015-09-21 09:28, Alex Bulan wrote:> The result is the same with or without "<" before the file path. With > "<" the inode atime is updated at Dovecot startup, so the file is at > least opened, but Dovecot still can't verify the cert. > > The only place in the Wiki that shows an example of ssl_client_ca_file > is on this page, and there's no "<" in front of the file path: > > http://wiki2.dovecot.org/Replication > > (quote) > The client must be able to verify that the SSL certificate is valid, > so you need to specify the directory containing valid SSL CA roots: > > ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu > ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat > (end quote)For replication only settings? I can only guess as i currently don't use proxy nor replication. Haven't found much about proxying and ssl but found a configuration parameter ssl_ca = </path/to/file maybe that works... http://wiki2.dovecot.org/SSL/DovecotConfiguration section Client certificate verification/authentication> > On Mon, 21 Sep 2015, Christian Kivalo wrote: > >> Hi >> >>> I've pointed ssl_client_ca_file to my root certificate store, but I >>> suspect ssl_client_ca_file is only used in imapc context. It seems >>> to >>> be ignored in proxy context. >>> >>> doveconf -n ssl_client_ca_file: >>> ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt >> >> You are missing the "<" before the file path >> >> Try ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt >> >> See http://wiki2.dovecot.org/SSL/DovecotConfiguration >> >> Regards >> Christian >>- Christian
On 21/09/15 17:28, Alex Bulan wrote:> The result is the same with or without "<" before the file path. With > "<" the inode atime is updated at Dovecot startup, so the file is at > least opened, but Dovecot still can't verify the cert. > > The only place in the Wiki that shows an example of ssl_client_ca_file > is on this page, and there's no "<" in front of the file path: > > http://wiki2.dovecot.org/Replication > > (quote) > The client must be able to verify that the SSL certificate is valid, so > you need to specify the directory containing valid SSL CA roots: > > ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu > ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat > (end quote) >Suggesting that on Redhat you should specify "the directory containing valid SSL CA roots" by setting ssl_client_ca_file sounds kinda crazy. Sounds like setting a file instead. So that bit of documentation should be treated as rather suspect. Regards, Andrew
On Mon, 21 Sep 2015, Christian Kivalo wrote:> Haven't found much about proxying and ssl but found a configuration parameter > ssl_ca = </path/to/file maybe that works... > > http://wiki2.dovecot.org/SSL/DovecotConfiguration section Client certificate > verification/authenticationssl_ca serves a different purpose, it's for setting your certificate authority in order to verify client certs you've issued. Setting "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" does work to verify the proxy backend cert, at least the current Dovecot release, but it's a hack. It's misusing this setting for a different purpose than documented. I can't rely on this "solution" as it could break in a future Dovecot release. The correct setting to use is ssl_client_ca_file. It's just not being applied in proxy mode. The patchset that implemented ssl_client_ca_file is here: http://www.dovecot.org/list/dovecot-cvs/2013-April/023089.html Dovecot calls the OpenSSL function SSL_CTX_load_verify_locations() to set the CAfile path, as it should, but apparently only when it's talking to an imapc storage backend, not when it's acting as a simple proxy. See http://dovecot.org/pipermail/dovecot/2013-June/090884.html
On Mon, 21 Sep 2015, Andrew McN wrote:>> http://wiki2.dovecot.org/Replication >> >> (quote) >> The client must be able to verify that the SSL certificate is valid, so >> you need to specify the directory containing valid SSL CA roots: >> >> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu >> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat >> (end quote) >> > > Suggesting that on Redhat you should specify "the directory containing > valid SSL CA roots" by setting ssl_client_ca_file sounds kinda crazy. > Sounds like setting a file instead. So that bit of documentation should > be treated as rather suspect. > > Regards, > AndrewIn some environments, root certs are stored in a hashed directory, in other environments they're stored in one file. One would typically use one setting or the other. I think ssl_client_ca_file was implemented later than ssl_client_ca_dir. The comment just needs to be updated.
Maybe Matching Threads
- Dovecot proxy ignores trusted root certificate store
- Dovecot proxy ignores trusted root certificate store
- Dovecot proxy ignores trusted root certificate store
- Dovecot proxy ignores trusted root certificate store
- dovecot as proxy and verification of the backends certificate