On Mon, 21 Sep 2015, Edgar Pettijohn wrote:> doveconf -n?doveconf -n|grep ssl should suffice: ssl = required ssl_ca = </usr/local/share/certs/ca-root-nss.crt ssl_cert = </path/to/my/file.pem ssl_key = </path/to/my/file.pem ssl_require_crl = no I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a temporary workaround, even though this is not what ssl_ca is for. It happens to work, at least for now, but this is not a fix. ssl_client_ca_file should be used instead, but it has no effect in proxy mode: ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt This doesn't work either (and the Dovecot Wiki shows it used without "<"): ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt And "ssl_require_crl = no" to silence "unable to get certificate CRL" log messages. I don't need it to check CRLs on the backend's certificate chain.
Edgar Pettijohn
2015-Sep-22 01:42 UTC
Dovecot proxy ignores trusted root certificate store
On 09/21/2015 05:11 PM, Alex Bulan wrote:> On Mon, 21 Sep 2015, Edgar Pettijohn wrote: > >> doveconf -n? > > doveconf -n|grep ssl should suffice: > > ssl = requiredshouldn't it be: ssl = yes I was only aware of the choice of yes or no here, but I could be wrong.> ssl_ca = </usr/local/share/certs/ca-root-nss.crt > ssl_cert = </path/to/my/file.pem > ssl_key = </path/to/my/file.pem > ssl_require_crl = no > > I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a > temporary workaround, even though this is not what ssl_ca is for. It > happens to work, at least for now, but this is not a fix. > > ssl_client_ca_file should be used instead, but it has no effect in > proxy mode: > > ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt > > This doesn't work either (and the Dovecot Wiki shows it used without > "<"): > > ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt > > And "ssl_require_crl = no" to silence "unable to get certificate CRL" > log messages. I don't need it to check CRLs on the backend's > certificate chain.
On Mon, 21 Sep 2015, Edgar Pettijohn wrote:>> ssl = required > > shouldn't it be: > > ssl = yes > > I was only aware of the choice of yes or no here, but I could be wrong.See http://wiki2.dovecot.org/SSL/DovecotConfiguration
On 22 Sep 2015, at 01:11, Alex Bulan <avb at korax.net> wrote:> > On Mon, 21 Sep 2015, Edgar Pettijohn wrote: > >> doveconf -n? > > doveconf -n|grep ssl should suffice: > > ssl = required > ssl_ca = </usr/local/share/certs/ca-root-nss.crt > ssl_cert = </path/to/my/file.pem > ssl_key = </path/to/my/file.pem > ssl_require_crl = no > > I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a temporary workaround, even though this is not what ssl_ca is for. It happens to work, at least for now, but this is not a fix. > > ssl_client_ca_file should be used instead, but it has no effect in proxy mode:Yeah. The ssl_client_ca_file was implemented later than the SSL proxying code. I think this may be something that needs to wait for v2.3 to get fixed. v2.3 hopefully removes the duplicated ssl code and uses lib-ssl-iostream for proxying also, which makes this easier to implement.
On Tue, 22 Sep 2015, Timo Sirainen wrote:> Yeah. The ssl_client_ca_file was implemented later than the SSL proxying > code. I think this may be something that needs to wait for v2.3 to get > fixed. v2.3 hopefully removes the duplicated ssl code and uses > lib-ssl-iostream for proxying also, which makes this easier to > implement.Thanks, Timo. I'll use the ssl_ca workaround for now.
Possibly Parallel Threads
- Dovecot proxy ignores trusted root certificate store
- Dovecot proxy ignores trusted root certificate store
- Dovecot proxy ignores trusted root certificate store
- Dovecot proxy ignores trusted root certificate store
- Dovecot proxy ignores trusted root certificate store