On Mon, 21 Sep 2015, Andrew McN wrote:>> http://wiki2.dovecot.org/Replication >> >> (quote) >> The client must be able to verify that the SSL certificate is valid, so >> you need to specify the directory containing valid SSL CA roots: >> >> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu >> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat >> (end quote) >> > > Suggesting that on Redhat you should specify "the directory containing > valid SSL CA roots" by setting ssl_client_ca_file sounds kinda crazy. > Sounds like setting a file instead. So that bit of documentation should > be treated as rather suspect. > > Regards, > AndrewIn some environments, root certs are stored in a hashed directory, in other environments they're stored in one file. One would typically use one setting or the other. I think ssl_client_ca_file was implemented later than ssl_client_ca_dir. The comment just needs to be updated.
Edgar Pettijohn
2015-Sep-21 21:07 UTC
Dovecot proxy ignores trusted root certificate store
doveconf -n? On 09/21/2015 12:45 PM, Alex Bulan wrote:> On Mon, 21 Sep 2015, Andrew McN wrote: > >>> http://wiki2.dovecot.org/Replication >>> >>> (quote) >>> The client must be able to verify that the SSL certificate is valid, so >>> you need to specify the directory containing valid SSL CA roots: >>> >>> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu >>> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat >>> (end quote) >>> >> >> Suggesting that on Redhat you should specify "the directory containing >> valid SSL CA roots" by setting ssl_client_ca_file sounds kinda crazy. >> Sounds like setting a file instead. So that bit of documentation should >> be treated as rather suspect. >> >> Regards, >> Andrew > > In some environments, root certs are stored in a hashed directory, in > other environments they're stored in one file. One would typically > use one setting or the other. > > I think ssl_client_ca_file was implemented later than > ssl_client_ca_dir. The comment just needs to be updated.
On Mon, 21 Sep 2015, Edgar Pettijohn wrote:> doveconf -n?doveconf -n|grep ssl should suffice: ssl = required ssl_ca = </usr/local/share/certs/ca-root-nss.crt ssl_cert = </path/to/my/file.pem ssl_key = </path/to/my/file.pem ssl_require_crl = no I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a temporary workaround, even though this is not what ssl_ca is for. It happens to work, at least for now, but this is not a fix. ssl_client_ca_file should be used instead, but it has no effect in proxy mode: ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt This doesn't work either (and the Dovecot Wiki shows it used without "<"): ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt And "ssl_require_crl = no" to silence "unable to get certificate CRL" log messages. I don't need it to check CRLs on the backend's certificate chain.
Apparently Analagous Threads
- Dovecot proxy ignores trusted root certificate store
- Dovecot proxy ignores trusted root certificate store
- Dovecot proxy ignores trusted root certificate store
- Dovecot proxy ignores trusted root certificate store
- Dovecot proxy ignores trusted root certificate store