zhong ming wu
2010-Feb-28 02:45 UTC
[Dovecot] client cert handling not working properly on centos 4.8
Dear List
I've successfully installed/configured dovecot 1.2.10 with "require
client cert" on centos 5.4 and ubuntu server 9.10
I also need to install on centos 4.8 and after the following the exact
same procedure I can only get it working
if I commented out ssl_require_client_cert =yes and
ssl_username_from_cert = yes from the working config file.
This is even after compiling dovecot with openssl 0.9.8l on centos 4.8
If I copy the same "client_ca.crt" from centos 4.8 to centos 5.4 then
centos 5.4 does not problem in verifying client cert.
That file contain CRL as well as certificate which signs the pkcs12
file installed on the client.
The following log entries do not appear on centos 5.4
------------------
Feb 27 21:17:33 localhost dovecot: pop3-login: Invalid certificate:
unable to get certificate CRL: /C=US/ST=New York/L=Astoria/O=SnakeOil
Inc./OU=Email Administration/CN=web at example.com
Feb 27 21:17:33 localhost dovecot: pop3-login: Valid certificate:
/C=US/ST=NY/L=TEST/O=Internet Widgits Pty Ltd
-------------------
$ dovecot -n
# OS: Linux 2.6.9-89.0.20.EL i686 CentOS release 4.8 (Final) ext3
base_dir: /var/run/dovecot/
protocols: pop3
listen: 192.168.0.110
ssl_ca_file: /etc/pki/certs/dovecot/client_ca.crt
ssl_cert_file: /etc/pki/certs/vrane.com/pop.crt
ssl_key_file: /etc/pki/private/vrane.com/pop.key
ssl_parameters_regenerate: 29
ssl_verify_client_cert: yes
verbose_ssl: yes
login_dir: /var/run/dovecot//login
login_executable: /usr/libexec/dovecot/pop3-login
mail_location: maildir:/home/vmail/%d/%n
mail_executable: /usr/libexec/dovecot/pop3
mail_plugin_dir: /usr/lib/dovecot/pop3
auth default:
user: squab
debug: yes
ssl_require_client_cert: yes
ssl_username_from_cert: yes
passdb:
driver: passwd-file
args: /etc/dovecot/shadow/%d
userdb:
driver: static
args: uid=2000 gid=2000 home=/home/vmail/%d/%n
socket:
type: listen
client:
path: /var/spool/postfix/private/auth
mode: 432
user: postfix
group: postfix
Apparently Analagous Threads
- Dovecot with SSL Client Certification
- require SSL certs only for encrypted connections?
- exporting client socket to postfix
- mandatory client certificates and crl check in ssl-proxy-openssl.c
- [bug] bit of a clearer error message desired - Can't load CA file... : Success
Wisdom of the Ancients
