Daniel Dickinson
2014-Oct-11 06:14 UTC
]UG] Dovecot 2.2.9 SSL client cert verification fails: openssl verify: OK
Greetings all, I have verified a bug that has long been attributed to lack of knowledge on the part of the user. Dovecot rejects StartSSL client certificates due to reject StartSSL root CA when doing client verification even though the appropriately constructed ca-bundle.pem has been created and applied vi ssl_ca </etc/dovecot/ca-bundle.pem. openssl verify -CAfile ca-bundle.pem -crl_check_all -policy_check -x509_strict -verbose client-cert.pem returns: client-cert.pem: OK However dovecot reports the following: Oct 11 01:41:17 hostname dovecot: imap-login: Invalid certificate: unable to get local issuer certificate: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority Oct 11 01:41:17 hostname dovecot: imap-login: Invalid certificate: certificate not trusted: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority Oct 11 01:41:17 hostname dovecot: imap-login: Invalid certificate: unable to get certificate CRL: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority Oct 11 01:41:17 hostname dovecot: imap-login: Valid certificate: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Client CA Also reports the client certificate as valid. The certificate bundle was created as follows: openssl x509 -in sub.class1.client.pem -subject -issuer >ca-bundle.pem cat class1-client-crl.pem >>ca-bundle.pem openssl x509 -in startcom-root-ca.pem -subject -issuer >>ca-bundle.pem cat startcom-root-ca-crl.pem >>ca-bundle.pem Furthermore exim, Thunderbird, and Firefox are all perfectly happy with the certificates (and exim has no problem verifying the client certificates). Further, there are many more messages regarding issues with users of dovecot having issues with StartCom client certificates who have reported following all the steps than with Cyrus or Courier. Oh, and client verification of server-side certificate works fine with server-side certificate bundle (cat server.pem startcom-intermediate.pem startcom-root-ca.pem >dovecot.pem) Relevant dovecot -n included below: auth_debug = yes auth_mechanisms = plain login digest-md5 cram-md5 otp auth_ssl_require_client_cert = yes auth_verbose = yes ssl = required ssl_ca = </etc/dovecot/ca-bundle.pem ssl_cert = </etc/dovecot/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem ssl_verify_client_cert = yes verbose_ssl = yes OS is Debian Wheezy with latest updates and (just today in hopes it had been fixed, same error occurs with Wheezy's dovecot = 2.1.7) dovecot 2.2.9 from backports. amd64 architecture. Please CC me as I am not subscribed to the list. Regards, Daniel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20141011/be15c802/attachment-0001.sig>