How do I configure dovecot-2.0.x to present a client SSL certificate when
proxying?
If dovecot on server1.example.com has:
passdb {
driver = static
args = proxy=y host=server2.example.com nopassword=y ssl=yes
}
and dovecot on server2.example.com has:
ssl_verify_client_cert = yes
auth_ssl_require_client_cert = yes
then when a client connects to server1 and authenticates, a connection is
established to server2 but the SSL handshake fails because server1 doesn't
present a client certificate. I don't see where ssl_client_ctx is tied to a
client certificate in ssl-proxy-openssl.c.
Thanks.
On 23.12.2011, at 1.10, Mike Abbott wrote:> How do I configure dovecot-2.0.x to present a client SSL certificate when proxying?Set ssl_client_cert and ssl_client_key settings in dovecot.conf. Requires hg version, since these were added after v2.0.16.> If dovecot on server1.example.com has: > passdb { > driver = static > args = proxy=y host=server2.example.com nopassword=y ssl=yes > } > > and dovecot on server2.example.com has: > ssl_verify_client_cert = yes > auth_ssl_require_client_cert = yes > > then when a client connects to server1 and authenticates, a connection is established to server2 but the SSL handshake fails because server1 doesn't present a client certificate. I don't see where ssl_client_ctx is tied to a client certificate in ssl-proxy-openssl.c.If you want some kind of automatic client certificate forwarding, I don't think that's possible even in theory since the private key is needed.
Possibly Parallel Threads
- Problem with requiring client certificates for external connections
- Disable Client Certificate Authentication for Unencrypted Connections?
- Disable Client Certificate Authentication for Unencrypted Connections?
- [PATCH] Fix for client certificate validation does not work
- How to make IMAPS SSL Cert for Dovecot that works with Thunderbird