HenkJan Wolthuis
2006-May-11 14:36 UTC
[Dovecot] mandatory client certificates and crl check in ssl-proxy-openssl.c
hello, I made a modification to ssl-proxy-openssl.c (patch attached) zo that it a) disconnects when no client certificate is presented b) checks the client certificate against the crl for our root cert. (so you can't use a revoked client cert.) c) returns the CommonName from the client cert. in ssl_proxy_get_peer_name (this way it's easier to use dovecot as imap-proxy with a passwd-like userdb, ssl_require_client_cert and ssl_username_from_cert, it "binds" the emailuser to the clientcertificate, a clientcert. can access only the account from the userdb) in order to use it, the CAfile must be a file which contains the CAcertificate (pem format) followed by the CRL (also in pem format). (servercert and the clientcerts are signed with a self-signed rootcert) there are some issues with the patch: a) it needs openssl > 0.9.7 for the CRL checking b) ssl_verify_client_cert now returns 0 in case of an invalid cert. was there a reason why it always returned 1? c) i'm not too happy with the commonname extraction code, is it secure?? d) i've no experience with programming openssl or dovecot e) i haven't programmed in C for at least 8 years...... does anyone here have more issues, corrections, comments on the patch? can/should this functionality be implemented in dovecot? (conf-file option?) -- groeten, HenkJan Wolthuis -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: patch.txt URL: <http://dovecot.org/pipermail/dovecot/attachments/20060511/355a1b07/attachment.txt>