Q1) I can't get ssl_verify_client_cert=yes working. The ssl key and cert are signed using our CA. Also the ssl_ca_file has a CRL appended (no revokes yet). Expected behavior: Stop the SSL (the client doesn't have a cert installed) Current behavior: Mail clients accepts SSL and login succeeds. (both Evolution and Thunderbird). My bad? Please advise. Q2) The next step, if dovecot blocks the client because of the verify_client_cert, how to create certs for OE, Evolution and Thunderbird? Thanks, Leroy Server type: Linux Red Hat ES 4.4 (32bit) # ./dovecot -n # /drbd/imap/dovecot-1.0.rc26/etc/dovecot.conf log_path: /drbd/imap/dovecot-1.0.rc26/var/dovecot.log protocols: imaps listen: a.b.c.39:143 ssl_listen: a.b.c.39:993 ssl_ca_file:/drbd/imap/dovecot-1.0.rc26/etc/certs/CA/cacert_with_crl.pem ssl_cert_file:/drbd/imap/dovecot-1.0.rc26/etc/certs/CA/imaps-signedcertificate.pem ssl_key_file:/drbd/imap/dovecot-1.0.rc26/etc/certs/CA/imaps-privatekey.pem ssl_verify_client_cert: yes verbose_ssl: yes login_dir: /drbd/imap/dovecot-1.0.rc26/var/run/dovecot/login login_executable: /drbd/imap/dovecot-1.0.rc26/libexec/dovecot/imap-login verbose_proctitle: yes mail_extra_groups: mail mail_location: mbox:~/:INBOX=/var/mail/%u mmap_disable: yes mbox_write_locks: fcntl dotlock imap_client_workarounds: delay-newmail outlook-idle auth default: mechanisms: plain login digest-md5 cram-md5 verbose: yes passdb: driver: passwd-file args: /drbd/imap/dovecot-1.0.rc26/etc/userdb_extra passdb: driver: pam userdb: driver: passwd-file args: /drbd/imap/dovecot-1.0.rc26/etc/userdb_extra userdb: driver: passwd Details (LONG) follow: # cat cacert_with_crl.pem -----BEGIN CERTIFICATE----- MIICxzCCAjCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBSMRwwGgYDVQQKExNXTCBE ZWxmdCBIeWRyYXVsaWNzMQ4wDAYDVQQHEwVEZWxmdDEVMBMGA1UECBMMWnVpZCBI b2xsYW5kMQswCQYDVQQGEwJOTDAeFw0wNzAzMDgxMjE1MzhaFw0xNzAzMDUxMjE1 MzhaMFIxHDAaBgNVBAoTE1dMIERlbGZ0IEh5ZHJhdWxpY3MxDjAMBgNVBAcTBURl bGZ0MRUwEwYDVQQIEwxadWlkIEhvbGxhbmQxCzAJBgNVBAYTAk5MMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQCp4s55PxpcEgk1KhAJ3DA/DXKHBtUoAE3K273t 1nJzuAujA0mfVtpinDdpreHp53bVGSN5xIDZ+Ljy8wW7lPB5YSwBQFbIoFx/6NkI QPkYeVZ0NrFC1g2tZRD4ObRkqFuApr60+NokY+e3KuInnCdAf0Itb4VVolMvWccz vqdJBQIDAQABo4GsMIGpMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFPynIoyRPF2s UiGO+3RQr2pThXzQMHoGA1UdIwRzMHGAFPynIoyRPF2sUiGO+3RQr2pThXzQoVak VDBSMRwwGgYDVQQKExNXTCBEZWxmdCBIeWRyYXVsaWNzMQ4wDAYDVQQHEwVEZWxm dDEVMBMGA1UECBMMWnVpZCBIb2xsYW5kMQswCQYDVQQGEwJOTIIBADANBgkqhkiG 9w0BAQQFAAOBgQAtRPC7laBPuOMAein4ZXjxSia6l7XjpAI/A2bXFvbV1ulNzbno KYbeqfv6zp1SLWrKvwGeu4DrHLe098ATADqLWANqNqfI5t40nND1rsfGmjGTOJ7v /Q53AaTXEBn2D1ZIqGMUuFOXv0BFi1U2BmPyTt6hlZ1D7wTERxo0UGXFXw=-----END CERTIFICATE----- -----BEGIN X509 CRL----- MIIBFzCBgTANBgkqhkiG9w0BAQQFADBSMRwwGgYDVQQKExNXTCBEZWxmdCBIeWRy YXVsaWNzMQ4wDAYDVQQHEwVEZWxmdDEVMBMGA1UECBMMWnVpZCBIb2xsYW5kMQsw CQYDVQQGEwJOTBcNMDcwMzA4MTIyODE5WhcNMDcwNDA3MTIyODE5WjANBgkqhkiG 9w0BAQQFAAOBgQBnXWqvR9oS674EyNHYoOmv0KeFcVqLOUpR7bVGbMYvCsMc56yy E473NULD0EL0BZFMgGdN05e53KLnOoLiuvFuhCAxZW7o7f72lJC+wegFwROp7OOc aKJ5lumaZ86Xb0uM8N/yJ/5xxCubrt1TYGQYPTjoQo4rJccpFy8aeqNDrA=-----END X509 CRL----- ]# cat imaps-signedcertificate.pem -----BEGIN CERTIFICATE----- MIICHTCCAYYCAQEwDQYJKoZIhvcNAQEEBQAwUjEcMBoGA1UEChMTV0wgRGVsZnQg SHlkcmF1bGljczEOMAwGA1UEBxMFRGVsZnQxFTATBgNVBAgTDFp1aWQgSG9sbGFu ZDELMAkGA1UEBhMCTkwwHhcNMDcwMzA4MTIyMDA2WhcNMDgwMzA3MTIyMDA2WjBc MQswCQYDVQQGEwJOTDEVMBMGA1UECBMMWnVpZCBIb2xsYW5kMRwwGgYDVQQKExNX TCBEZWxmdCBIeWRyYXVsaWNzMRgwFgYDVQQDEw9pbWFwLndsZGVsZnQubmwwgZ8w DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALlEnCZu2o7LGp1x1rwBY2nZJH49L7by F8GVRpnoi7wnvXV11Iy7JUd0qbyBDWNn6EiBJ2YMemSmceVpXtyxI6wbBqmq0kgn 1VmglFUcYXRx6mkXuMx17OXpqSB9jNU22ldn20h/Xr1yhJ8W/RpohG9u6jebFiF3 qJXdyjXJqPSBAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAVwOhL3FICQeMJOSxil2S K1TiN+6zjrVDq7L7t7myOkWJA6hrZcPWQZfCV5ZoWaG8nREdesKAQBRvkT6uwmcJ 3pYpc/iBTtmwCpEVjfv0Ki9VwXpWuRo0FcQkrc8MVbclwnkGmtPAJAY7Dz7U/uBf w4N5cj1pfHltVEeD9Jb9tBo-----END CERTIFICATE----- # cat imaps-privatekey.pem -----BEGIN RSA PRIVATE KEY----- <better not include this :)> -----END RSA PRIVATE KEY-----
On Thu, 2007-03-08 at 13:51 +0100, Leroy van Logchem wrote:> Q1) > I can't get ssl_verify_client_cert=yes working. > The ssl key and cert are signed using our CA. > Also the ssl_ca_file has a CRL appended (no revokes yet). > > Expected behavior: > Stop the SSL (the client doesn't have a cert installed) > > Current behavior: > Mail clients accepts SSL and login succeeds. > (both Evolution and Thunderbird). > > My bad? Please advise.You'll also need to set ssl_require_client_cert=yes in auth section. I added that now to ssl_verify_client_cert's comments.> Q2) > The next step, if dovecot blocks the client because > of the verify_client_cert, how to create certs for OE, > Evolution and Thunderbird?I don't think most clients support SSL client certificates at all, although I know some people are using them with some clients.. Maybe someone could add a list of the clients supporting them into wiki. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20070308/c04dd08f/attachment.bin>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 8 Mar 2007, Timo Sirainen wrote:>> Q2) >> The next step, if dovecot blocks the client because >> of the verify_client_cert, how to create certs for OE, >> Evolution and Thunderbird? > > I don't think most clients support SSL client certificates at all, > although I know some people are using them with some clients.. Maybe > someone could add a list of the clients supporting them into wiki.Er, a dummy question, I guess: Can you use client certs to login into Dovecot? Aka can use the certs as "passdb"? Bye, - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBRfAuai9SORjhbDpvAQJawwf+KEDX2WMvc2Xt7db+UQr3nUdrNkRlY1rm qjAw78Lysfq+Bxl/49s11x/mN+zbAaVR28feGyRlFFeUmrdgOKWgz61nhueDxRSR apYMtCw4/GVEMQlJWl5Rvum+uZQiawnszPInwpjfHcJrhuPq+n2yEIQxukPesKpO T9avqJIhoN1Q7+DG0J9DINg/I2wHyhKaMudDKu0xewKr0rR1hDW9HpzdM/f0CVYO BXnS9FS130VAQJAYOiZe/BezyX41b2hBgS4E7zYgYZdEw3g/HgAAAo3vbYlWnuh4 VjUgLfN7yqu4OVoFxqkaBtCxF7K01nTSMbuutC5VXpmkExhJIcm6Pw==bhZg -----END PGP SIGNATURE-----
> You'll also need to set ssl_require_client_cert=yes in auth section. I > added that now to ssl_verify_client_cert's comments.Confirmed: "Client didn't present valid SSL certificate" Thanks for the swift response :)> > Q2) > > The next step, if dovecot blocks the client because > > of the verify_client_cert, how to create certs for OE, > > Evolution and Thunderbird? > > I don't think most clients support SSL client certificates at all, > although I know some people are using them with some clients.. Maybe > someone could add a list of the clients supporting them into wiki.Comments are welcome while figuring it out. I'll reply with a few lines of howto when it works.
> > Date: Thu, 08 Mar 2007 18:13:48 +0200 > From: Timo Sirainen <tss at iki.fi> > Subject: Re: [Dovecot] 1.0rc26: ssl_verify_client=yes ? > > On Thu, 2007-03-08 at 16:40 +0100, Steffen Kaiser wrote: > >> >> > On Thu, 8 Mar 2007, Timo Sirainen wrote: >> > >> >>>> > >> Q2) >>>> > >> The next step, if dovecot blocks the client because >>>> > >> of the verify_client_cert, how to create certs for OE, >>>> > >> Evolution and Thunderbird? >>>> >>> > > >>> > > I don't think most clients support SSL client certificates at all, >>> > > although I know some people are using them with some clients.. Maybe >>> > > someone could add a list of the clients supporting them into wiki. >>> >> > >> > Er, a dummy question, I guess: >> > Can you use client certs to login into Dovecot? >> > Aka can use the certs as "passdb"? >> > > Yes. It will still need some passdb, but you could use null password and > ssl_username_from_cert=yes settings in which case it doesn't matter what > user/password is used to log in. > > But it circumvents Dovecot's login/auth process security model, so I > don't recommend it that much. Maybe some day I'll make login process > forward the client cert to dovecot-auth which does the actual > verification. >I have successfully tested ssl_username_from_cert and found no real problem, apart from the fact that dovecot "username" takes the value of the certificate "CN" attribute , instead of the email attribute (in my case "Apostolos Papayanakis" instead of apap/ at /ccf.auth.gr). Everything else works as expected (eg, further userdb lookups based on certificate CN). Our University has issued a few thousand certificates with subjects such as "/C=GR/O=Aristotle University of Thessaloniki/OU=Network Operations Center/CN=Apostolos Papayanakis/emailAddress=apap/ at /ccf.auth.gr", that are used for administrative purposes. We would be very happy to use them as an alternative method of IMAP/POP3 authentication. However certificate CNs are not unique (e.g. "John Smith") and we would like to avoid constantly patching dovecot to use the email (or other) attribute from the certificate. I think replacing NID_commonName with NID_pkcs9_emailAddress ( or NID_subject_key_identifier, or NID_subject_alt_name) in login-common/ssl-proxy-openssl.c, line 527 would suffice. (X509_NAME_get_text_by_NID(X509_get_subject_name(x509), NID_commonName, buf, sizeof(buf)) < 0). Maybe I should post a complete patch if Timo is interested. Apostolis -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5876 bytes Desc: S/MIME Cryptographic Signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20070309/e5867588/attachment-0002.bin>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 9 Mar 2007, Apostolis Papagiannakis wrote:> Maybe I should post a complete patch if Timo is interested.Actually, I never thought in this direction, therefore, if it's working, how about you note down your "success story" in the Wiki? Along with your setup. ;-) I wonder if I can use the certs of our OpenVPN framework ... . Bye, - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBRfEwuS9SORjhbDpvAQIa8ggAgwY36GG/zeSOjpfpzI6KeE4XXvUzxbBE z9qaQeb7cviIQfdMYhjyA7c+jCajSsdi3KQn6S961IkBhMOyUu+3+g8BvZVm5i8C Abo8obJvawaGEKC1X8KUuZ5e6sSH1XKP1Dgz0/L96OgV7N18RdKrV5vIH+/H/Tux rDDYnE7jsal3vZ2a3W2VP2xutJ5AVISJAKXxooTktuV5r80G6l23n8s/EiaHASU7 wZNkGuQHAjzaeTYIL4ByTouLrPZfEKWmCnaL6c57+sbX2lcSryJ7KXZLjL3jdXhy 6v+xFt96lZmJCUxO7YA2HybpWfPzwkb40VpSTa3t27bK/jo+iqTdPQ==dOWp -----END PGP SIGNATURE-----
Possibly Parallel Threads
- proxy host specified as fqdn in userdb
- userdb override?
- Changed CONTROL= path causes POP3 to fail, whereas IMAP is working (rc25 & rc26)
- [RFC master-2.2 0/1] Support OpenSSL 1.1 API for setting allowed TLS versions
- Using NID_x500UniqueIdentifier as ssl_username_from_cert