dovecot - Sep 2015 - Dovecot proxy ignores trusted root certificate store

The result is the same with or without "<" before the file path. 
With "<"
the inode atime is updated at Dovecot startup, so the file is at least 
opened, but Dovecot still can't verify the cert.

The only place in the Wiki that shows an example of ssl_client_ca_file is 
on this page, and there's no "<" in front of the file path:

http://wiki2.dovecot.org/Replication

(quote)
The client must be able to verify that the SSL certificate is valid, so 
you need to specify the directory containing valid SSL CA roots:

ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
(end quote)



On Mon, 21 Sep 2015, Christian Kivalo wrote:
> Hi
>
>> I've pointed ssl_client_ca_file to my root certificate store, but I
>> suspect ssl_client_ca_file is only used in imapc context.  It seems to
>> be ignored in proxy context.
>> 
>> doveconf -n ssl_client_ca_file:
>> ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt
>
> You are missing the "<" before the file path
>
> Try ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt
>
> See http://wiki2.dovecot.org/SSL/DovecotConfiguration
>
> Regards
> Christian
>

On 2015-09-21 09:28, Alex Bulan wrote:
> The result is the same with or without "<" before the file
path.  With
> "<" the inode atime is updated at Dovecot startup, so the file
is at
> least opened, but Dovecot still can't verify the cert.
> 
> The only place in the Wiki that shows an example of ssl_client_ca_file
> is on this page, and there's no "<" in front of the file
path:
> 
> http://wiki2.dovecot.org/Replication
> 
> (quote)
> The client must be able to verify that the SSL certificate is valid,
> so you need to specify the directory containing valid SSL CA roots:
> 
> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
> (end quote)
For replication only settings? I can only guess as i currently don't use 
proxy nor replication.

Haven't found much about proxying and ssl but found a configuration 
parameter ssl_ca = </path/to/file maybe that works...

http://wiki2.dovecot.org/SSL/DovecotConfiguration section Client 
certificate verification/authentication
> 
> On Mon, 21 Sep 2015, Christian Kivalo wrote:
> 
>> Hi
>> 
>>> I've pointed ssl_client_ca_file to my root certificate store,
but I
>>> suspect ssl_client_ca_file is only used in imapc context.  It seems
>>> to
>>> be ignored in proxy context.
>>> 
>>> doveconf -n ssl_client_ca_file:
>>> ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt
>> 
>> You are missing the "<" before the file path
>> 
>> Try ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt
>> 
>> See http://wiki2.dovecot.org/SSL/DovecotConfiguration
>> 
>> Regards
>> Christian
>> 
- Christian

On 21/09/15 17:28, Alex Bulan wrote:
> The result is the same with or without "<" before the file
path.  With
> "<" the inode atime is updated at Dovecot startup, so the file
is at
> least opened, but Dovecot still can't verify the cert.
> 
> The only place in the Wiki that shows an example of ssl_client_ca_file
> is on this page, and there's no "<" in front of the file
path:
> 
> http://wiki2.dovecot.org/Replication
> 
> (quote)
> The client must be able to verify that the SSL certificate is valid, so
> you need to specify the directory containing valid SSL CA roots:
> 
> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
> (end quote)
> 
Suggesting that on Redhat you should specify "the directory containing
valid SSL CA roots" by setting ssl_client_ca_file sounds kinda crazy.
Sounds like setting a file instead.  So that bit of documentation should
be treated as rather suspect.

Regards,
Andrew

On Mon, 21 Sep 2015, Christian Kivalo wrote:
> Haven't found much about proxying and ssl but found a configuration
parameter
> ssl_ca = </path/to/file maybe that works...
>
> http://wiki2.dovecot.org/SSL/DovecotConfiguration section Client
certificate
> verification/authentication
ssl_ca serves a different purpose, it's for setting your certificate 
authority in order to verify client certs you've issued.

Setting "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" does
work to
verify the proxy backend cert, at least the current Dovecot release, but 
it's a hack.  It's misusing this setting for a different purpose than 
documented.  I can't rely on this "solution" as it could break in
a future
Dovecot release.

The correct setting to use is ssl_client_ca_file.  It's just not being 
applied in proxy mode.

The patchset that implemented ssl_client_ca_file is here:

http://www.dovecot.org/list/dovecot-cvs/2013-April/023089.html

Dovecot calls the OpenSSL function SSL_CTX_load_verify_locations() to set 
the CAfile path, as it should, but apparently only when it's talking to an 
imapc storage backend, not when it's acting as a simple proxy.

See http://dovecot.org/pipermail/dovecot/2013-June/090884.html

On Mon, 21 Sep 2015, Andrew McN wrote:
>> http://wiki2.dovecot.org/Replication
>>
>> (quote)
>> The client must be able to verify that the SSL certificate is valid, so
>> you need to specify the directory containing valid SSL CA roots:
>>
>> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
>> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
>> (end quote)
>>
>
> Suggesting that on Redhat you should specify "the directory containing
> valid SSL CA roots" by setting ssl_client_ca_file sounds kinda crazy.
> Sounds like setting a file instead.  So that bit of documentation should
> be treated as rather suspect.
>
> Regards,
> Andrew
In some environments, root certs are stored in a hashed directory, in 
other environments they're stored in one file.  One would typically use 
one setting or the other.

I think ssl_client_ca_file was implemented later than ssl_client_ca_dir. 
The comment just needs to be updated.