dovecot - Jul 2006 - Authentication by certificats (a bug or my misconfiguration)

Today I've been trying to get dovecot (1.0 rc2) to use certificates
for client side authentication. If my memory serves right, beta8
had no problems with it (although it was some time ago and on different
machine).

Similar setup works perfectly well for postfix (for authentication
that is, on the same machine). Originally I thought I overdid some
certificate settings (keyUsage, nsCertType, etc.), so for the
sake of testing I've simplified the setup to bare minimum - 1 simple
selfsigned root certificate, another 1 for dovecot, and the last
one for the user. Unfortunately, the results were the same.

Configuration:

OpenBSD 3.9 (stable branch), i386, no nfs or afs (only local ffs)
standard OpenSSL 0.9.7g (+ patches)
dovecot 1.0 rc2, compiled from sources, with sysconfdir set
	to /etc and with disabled pam

Tested with the most recent opera and mozilla thunderbird,
using pop3s. (note: both clients work with postfix, authetnicating
only by certificates). They do send requested certificates.

Important dovecot configuration:

ssl_cert_file = /etc/ssl/ca_ppgk/certs/pop3_crt.pem
	(common name - pop3.ppgk.com.pl, valid dns name)
ssl_key_file  = /etc/ssl/ca_ppgk/private/pop3_key.pem
ssl_ca_file   = /etc/ssl/ca_ppgk/ca_crt.pem
ssl_verify_client_cert = yes
verbose_ssl = yes
auth_verbose = yes

ssl_require_client_cert = yes
ssl_username_from_cert = (tested both with yes and no,
	with common name of user certificate set both as
	username at domain or as bare username)

The rest is just pretty standard, using passwd for both
user auth and userdb, with plain and login mechanisms allowed.

I tested "few" sets of certificates (for ca, server and user) with
configurations ranging from quite specific ones (with basicConstraints,
nsCertType, keyUsage, extendedKeyUsage fields set) to very simple ones
(basicConstraints + typical stuff like subjectKeyIdentifier). All of
them gave the same results with dovecot (postfix didn't complain with
any of them either).

This is what I get in logs, when trying to pull mail using opera or mozilla:

Jul  7 14:33:47 ppgk-wa dovecot: Dovecot v1.0.rc2 starting up
Jul  7 14:33:57 ppgk-wa dovecot: pop3-login: Invalid certificate:
/C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=adminms at
ppgk.com.pl/emailAddress=adminms at ppgk.com.pl
Jul  7 14:33:57 ppgk-wa dovecot: pop3-login: Invalid certificate:
/C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=RootCA/emailAddress=admin at
ppgk.com.pl
Jul  7 14:33:57 ppgk-wa dovecot: pop3-login: Valid certificate:
/C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=RootCA/emailAddress=admin at
ppgk.com.pl
Jul  7 14:33:57 ppgk-wa dovecot: pop3-login: Valid certificate:
/C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=adminms at
ppgk.com.pl/emailAddress=adminms at ppgk.com.pl
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): client in: AUTH	1	PLAIN
service=POP3	secured	lip=192.168.100.77	rip=192.168.100.75	resp=<hidden>
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): PLAIN(?,192.168.100.75): Client
didn't present valid SSL certificate
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): client out: FAIL	1	reason=Client
didn't present valid SSL certificate
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): client in: AUTH	2	LOGIN
service=POP3	secured	lip=192.168.100.77	rip=192.168.100.75	resp=<hidden>
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): LOGIN(?,192.168.100.75): Client
didn't present valid SSL certificate
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): client out: FAIL	2	reason=Client
didn't present valid SSL certificate
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): client in: AUTH	3	PLAIN
service=POP3	secured	lip=192.168.100.77	rip=192.168.100.75	resp=<hidden>
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): PLAIN(?,192.168.100.75): Client
didn't present valid SSL certificate
Jul  7 14:34:05 ppgk-wa dovecot: auth(default): client out: FAIL	3	reason=Client
didn't present valid SSL certificate
Jul  7 14:34:07 ppgk-wa dovecot: pop3-login: Disconnected: method=PLAIN,
rip=192.168.100.75, lip=192.168.100.77, TLS


Those two "Invalid certificate" lines, followed immediately by two
"Valid certificate" lines seem suspicious.

Is there some configuration detail I might have missed or messed,
or is it (probably) a bug ?

Hello Michal,
> Today I've been trying to get dovecot (1.0 rc2) to use certificates
> for client side authentication. If my memory serves right, beta8
> had no problems with it (although it was some time ago and on different
I'm not using .rc2 yet, i'm using dovecot-20060612 with clientcerts /
crls,

I'm not sure, but maybe this is the problem:
After beta8 CRLchecking was added, ssl_ca_file should be a file with the 
ca_cert followed by a crl. (certificate revocation list)

If this is the problem, you can:
1) generate a crl, add the crl to ca_cert.pem (crl in PEM format)
or
2) comment out the crlchecking code in ssl_proxy_openssl.c, it's in the 
ssl-proxy_init() function, between #if OPENSSL_VERSION_NUMBER>= 
0x00907000L and the matching #endif.. and recompile

One other thing to notice: ssl_proxy_get_peer_name now returns the 
CommonName from the client certificate, and not the whole DN!
> Those two "Invalid certificate" lines, followed immediately by
two
> "Valid certificate" lines seem suspicious.
>
i think that's because ssl-verify_client_cert() returns 1. I've seen the
same behaviour here. Change it to preverify_ok, then it should log 
verification error messages, (and drops the connection in case of a 
invalid client certificate)

success!

-- 

groeten,

HenkJan Wolthuis

Hi Alexander,
>
> Thanks for the quick reply; rearranging the certs didn't seem to do 
> much for the setup; I guess I'm getting one thing wrong, which was the 
> cause for my followup. How can I make dovecot only rely on cert and no 
> furhter authentication for giving access to the user, when making 
> dovecot lift the user ID from the client cert?
Hmm, i don't think that's the reason for the "invalid
certificate"
error. Another question: are the clientcertificates and the 
servercertificate signed by the same CA?

In case you want the ssl-verify error in the logfiles:

in src/logincommon/ssl-proxy-openssl.c, line 607

change:
i_info("Invalid certificate: %s", buf);
to:
i_info("Invalid certificate: %s: %s, 
X509_verify_cert_error_string(ctx->error) ,buf);

should help, (tested on beta8) (don't forget to recompile, install, 
restart ;-))

success!

-- 

groeten,

HenkJan Wolthuis