dovecot - May 2006 - mandatory client certificates and crl check in ssl-proxy-openssl.c

hello,

I made a modification to ssl-proxy-openssl.c (patch attached) zo that it
a) disconnects when no client certificate is presented
b) checks the client certificate against the crl for our root cert. (so 
you can't use a revoked client cert.)
c) returns the CommonName from the client cert. in 
ssl_proxy_get_peer_name (this way it's easier to use dovecot as 
imap-proxy with a passwd-like userdb, ssl_require_client_cert and 
ssl_username_from_cert, it "binds" the emailuser to the 
clientcertificate, a clientcert. can access only the account from the 
userdb)

in order to use it, the CAfile must be a file which contains the 
CAcertificate (pem format) followed by the CRL (also in pem format). 
(servercert and the clientcerts are signed with a self-signed rootcert)

there are some issues with the patch:
a) it needs openssl > 0.9.7 for the CRL checking
b) ssl_verify_client_cert now returns 0 in case of an invalid cert. was 
there a reason why it always returned 1?
c) i'm not too happy with the commonname extraction code, is it secure??
d) i've no experience with programming openssl or dovecot
e) i haven't programmed in C for at least 8 years......

does anyone here have more issues, corrections, comments on the patch?
can/should this functionality be implemented in dovecot? (conf-file option?)

-- 

groeten,

HenkJan Wolthuis

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch.txt
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20060511/355a1b07/attachment.txt>