Hello, I'm setting up Dovecot with client certificates and everything is working fine as long as the client only has one certificate in his store. If he has more than one, the wrong one might be sent to the server. The root of the problem is that Dovecot does not send out a list of valid CA names in the TLS handshake. If I connect using openssl s_client I get: "No client certificate CA names sent" I am using Dovecot 1.0 RC15 from backports.org. Is there a solution to this problem? Regards, Johnny
On Tue, 2007-04-03 at 09:47 +0200, Johnny Chadda wrote:> Hello, > > I'm setting up Dovecot with client certificates and everything is > working fine as long as the client only has one certificate in his > store. If he has more than one, the wrong one might be sent to the server. > > The root of the problem is that Dovecot does not send out a list of > valid CA names in the TLS handshake. > > If I connect using openssl s_client I get: > > "No client certificate CA names sent"Well, I'm not that big of an OpenSSL guru, but googling shows that with other software it's often a certificate configuration problem. Did you set ssl_ca_file and does the file contain a valid CA and CRL? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20070403/c2cd0722/attachment.bin>
Timo Sirainen wrote:> Well, I'm not that big of an OpenSSL guru, but googling shows that with > other software it's often a certificate configuration problem. > > Did you set ssl_ca_file and does the file contain a valid CA and CRL?Yes, the certificates are Ok. It works if I explicitly select which client certificate to send to the server from the mail client. Normal users shouldn't have to do this though. It should be selected based on which accepted CA names the server sends. It works fine in Cyrus (which I will use if this does not work) and Postfix.