I would like to use Client certificate verification/authentication. My MTA used this function. I've a problem to make a valid certificate. For my MTA i used : openssl req -new -nodes -x509 -keyout user_key.pem -out user_req.pem -days 365 openssl ca -out user_signed.pem -infiles user_req.pem openssl pkcs12 -in user_signed.pem -inkey user_key.pem -out user.p12 -export -name "user at hotsname" user.p12 match in my MTA Not in Dovecot... In my log, i've simply : dovecot: auth(default): Client didn't present valid SSL certificate Also, in the documentation The username is taken from the subject's DN's CommonName <http://wiki.dovecot.org/CommonName> field (using OpenSSL's X509_NAME_get_text_by_NID() function). But when i used openssl req -new -nodes -keyout user_key.pem -out user_req.pem -days 365 my common name is my hostname not my username. I don't think that the option -name user at hostname (in manpage openssl :: -name is friendly name)... Sorry but it's ambiguous for me...
Timo Sirainen
2007-Jun-04 00:53 UTC
[Dovecot] Client certificate verification/authentication
On Tue, 2007-05-29 at 12:06 +0200, eizert wrote:> Not in Dovecot... > In my log, i've simply : > dovecot: auth(default): Client didn't present valid SSL certificateSet verbose_ssl=yes and it should log more. It should then log either "Invalid certificate" or "Valid certificate". If it logged neither, then your client didn't send a certificate at all. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20070604/8c7f505e/attachment-0002.bin>
Timo Sirainen a ?crit :> On Tue, 2007-05-29 at 12:06 +0200, eizert wrote: > >> Not in Dovecot... >> In my log, i've simply : >> dovecot: auth(default): Client didn't present valid SSL certificate >> > > Set verbose_ssl=yes and it should log more. It should then log either > "Invalid certificate" or "Valid certificate". If it logged neither, then > your client didn't send a certificate at all. > >I've set this option. I've create certificate signed trusted and set CA and create CRL. I have put CRL in the CA certificate by cat ca-crl.pem >> ca.crt.pem Also my MUA use CRL with https://myhostname/crl.der But i've simply this information in my log : Client didn't present valid SSL certificate Very hard to debug. When if i turn off ssl_verify_client_cert and ssl_require_client_cert (but only ss_require_client_cert posed a problem) I think that ss_verify_client_cert it's simply X509 verify but i'm not sure, i don't read the source... I try to compile dovecot with no CRLs usage for test it.